PRINCIPAL
MR. J. K. SHAH
INTER CA
Information Technology
Head Office
Shraddha, 4th Floor, Old Nagardas Road,
Near Chinai College, Andheri (E), Mumbai - 400 069.
022 - 2683 66 66
INTER C.A. - INFORMATION TECHNOLOGY
INDEX
Categories Supporting
Management
Objectives
Automation Benefits
Implementation
Fixed Assets
General Ledger
Flow charts
Diagrammatic
Reresentation
Data Flow Diagrams
:1:
J.K.SHAH CLASSES INTER C.A. – I.T.
1. Explain Enterprise Information System (EIS)
Business Process:
A Business Process is an activity or set of activities that will accomplish a specific
organizational goal.
Business Process Management (BPM):
Business Process Management (BPM) is a systematic approach to improving these
processes.
:2:
J.K.SHAH CLASSES INTER C.A. – I.T.
Depending on the organization, industry and nature of work; business processes are
often broken up into different categories as shown
Categories of Business Processes
:3:
J.K.SHAH CLASSES INTER C.A. – I.T.
Human Resource Management (Example)
The main HR Process Areas are grouped into logical functional areas and they
are as follows:
· Recruitment and Staffing
· Goal Setting
· Training and Development
· Compensation and Benefits
· Performance Management
· Career Development
· Leadership Development
Revenue
Vision Strategic Plan Business Goals Cost Projections Profit Projections Board Approval Budget Review
Projections
Budgeting Process
The key objectives of BPA are to provide efficient and effective business
process. The success of any business process automation shall only be
achieved when BPA ensures:
:4:
J.K.SHAH CLASSES INTER C.A. – I.T.
· Integrity: To ensure that no un-authorized amendments can be made in the
data. i.e. data is error free.
· Availability: To ensure that data is available as and when required.
· Timeliness: To ensure that data is made available in at the right time.
In order to successfully achieve above parameter, BPA needs to implement
appropriate controls.
Reduced Costs
· Manual tasks, given that they are performed one-at-a-time and at a slower rate
than an automated task, will cost more. Automation allows you us accomplish
more by utilising fewer resources.
:5:
J.K.SHAH CLASSES INTER C.A. – I.T.
The steps to go about implementing business process automation:
Step 1: Define why we plan to implement a BPA - The primary purpose for which
enterprise implements automation may vary from enterprise to enterprise.
§ Errors in manual processes leading to higher costs.
§ Payment processes not streamlined, due to duplicate or late payments, missing
early pay discounts, and losing revenue.
§ Paying for goods and services not received.
§ Poor debtor management leading to high invoice aging and poor cash flow.
§ Not being able to find documents quickly during an audit or lawsuit or not being
able to find all documents.
§ Poor customer service.
Step 3: Document the process, we wish to automate - At this step, the processes
which organization wants to automate should be documented. The processes are
designed on paper or with computer software. The design of the process is normally
prepared with flowcharts.
The key benefits of documenting the processes are:
§ Provides clarity about the processes
§ It helps to determine the problems and issues in the processes
Step 5: Engage the business process consultant - To achieve BPA, decide which
company / consultant to partner with, depends upon following:
§ Objectivity of consultant in understanding/evaluating entity situation.
§ Does the consultant have experience with entity business process?
§ Is the consultant experienced in resolving critical business issues?
§ Whether the consultant is capable of recommending and implementing a
combination of hardware, software and services as appropriate to meeting
enterprise BPA requirements?
Overall, the appointed consultant should help organization to achieve the business
objectives of BPA and should help organization to adopt optimum BPA solutions.
:6:
J.K.SHAH CLASSES INTER C.A. – I.T.
Step 6: Calculate the ROI for project - The right stakeholders need to be engaged
and involved to ensure that the benefits of BPA are clearly communicated and
implementation becomes successful.
Some of points which may justify BPA implementation are;
§ Cost Savings, being clearly computed and demonstrated.
§ How BPA could lead to reduction in required manpower leading to no new
recruits need to be hired and how existing employees can be re-deployed or
used for further expansion.
§ Savings in employee salary by not having to replace those due to attrition.
§ The cost of space regained from paper, file cabinets, reduced.
§ Eliminating fines to be paid by entity due to delays being avoided.
§ Reducing the cost of audits and lawsuits.
§ Taking advantage of early payment discounts and eliminating duplicate
payments.
§ New revenue generation opportunities.
§ Collecting accounts receivable faster and improving cash flow.
Step 7: Developing the BPA - Once the requirements have been document, ROI has
been computed and top management approval to go ahead has been received, the
consultant develops the requisite BPA.
Step 8: Testing the BPA - Once developed, it is important to test the new process to
determine how well it works and the process of testing is an iterative process, the
objective being to remove all problems during this phase.
Step 1: Define why we plan to implement The answer to this question will provide
BPA? justification for implementing BPA.
Step 2: Understand the rules/ regulation The underlying issue is that any BPA
under which it needs to comply with? created needs to comply with applicable
laws and regulations.
Step 3: Document the process, we wish to The current processes which are planned
automate. to be automated need to be correctly and
completely documented at this step.
Step 4: Define the objectives/goals to be This enables the developer and user to
achieved by implementing BPA. understand the reasons for going for BPA.
The goals need to be precise and clear.
Step 5: Engage the business process Once the entity has been able to define the
consultant. above, the entity needs to appoint an
expert, who can implement it for the entity.
Step 6: Calculate the Rol for project. The answer to this question can be used
for convincing top management to say ‘yes’
to the BPA exercise.
Step 7: Development of BPA. Once the top management grant their
approval, the right business solution has to
be procured and implemented or
developed and implemented covering the
necessary BPA.
Step 8: Testing the BPA. Before making the process live, the BPA
solutions should be fully tested.
:7:
J.K.SHAH CLASSES INTER C.A. – I.T.
8. Explain enterprise risk management
No entity operates in a risk-free environment, and ERM does not create such an
environment. Rather, it enables management to operate more effectively in
environments filled with risks. ERM provides enhanced capability to do the following:
· Align risk appetite and strategy: Risk appetite is the degree of risk, on a broad-
based level that an enterprise (any type of entity) is willing to accept to achieve
its goals. Management considers the entity’s risk appetite first in evaluating
strategic alternatives and setting objectives.
· Link growth, risk and return: Entities accept risk as part of value creation and
preservation, and they expect return matching with the risk. ERM provides an
enhanced ability to identify and assess risks, and establish acceptable levels of
risk relative to growth and return objectives.
· Enhance risk response decisions: ERM provides the means to identify and
select among alternative risk responses - risk avoidance, reduction, sharing and
acceptance. ERM provides methodologies and techniques for making these
decisions.
· Minimize operational surprises and losses: Entities have enhanced capability
to identify potential events, assess risk and establish responses, thereby
reducing the occurrence of surprises and related costs or losses.
· Identify and manage cross-enterprise risks: Every entity faces number of
risks affecting different parts of the enterprise. Management needs to not only
manage individual risks, but also understand interrelated impacts.
· Provide integrated responses to multiple risks: Business processes carry
many inherent risks, and ERM enables integrated solutions for managing the
risks.
· Seize opportunities: Management considers potential events, rather than just
risks, and by considering a full range of events, management gains an
understanding of how certain events represent opportunities.
:8:
J.K.SHAH CLASSES INTER C.A. – I.T.
entity’s people, and the environment in which they operate. The internal
environment sets the foundation for how risk and control are viewed and
addressed by an entity’s people.
(ii) Objective Setting: Objectives in line with entity’s mission / vision should be set
before management can identify events potentially affecting their achievement.
(iii) Event Identification: Potential events which includes risks and opportunities that
might have an impact on the entity should be identified. Event identification
includes identifying factors - internal and external - that influence how potential
events may affect strategy implementation and achievement of objectives.
(iv) Risk Assessment: Identified risks are analyzed to form a basis for determining
how they should be managed. Risk assessment is done to identify impact of such
risks on the organization objectives and strategy.
(v) Risk Response: Management selects a response strategy or combination of it
including avoiding, accepting, reducing and sharing risk.
(vi) Control Activities: Policies and procedures are established and executed to
help
ensure that the risk responses management selected, are effectively carried out.
(vii) Information and Communication: Relevant information is identified, captured
and communicated in a form and time frame that enable people to carry out their
responsibilities. Information is needed at all levels of an entity for identifying,
assessing and responding to risk.
(viii) Monitoring: The entire ERM process should be monitored, and modifications
made as necessary. Monitoring is accomplished through ongoing management
activities, separate evaluations of the ERM processes or a combination of the
both.
Risk is any event that may result in a significant deviation from a planned objective
resulting in an unwanted negative consequence. The degree of risk associated with an
event is determined by the likelihood (uncertainty, probability) of the event occurring,
the consequences (impact) if the event were to occur and it’s timing.
Risks of Business Process Automation
The risks are classified below:
· Input & Access: All input transaction data may not be accurate, complete and
authorized.
· File & Data Transmission: All files and data transmitted may not be processed
accurately and completely, due to network error.
· Processing: Valid input data may not have been processed accurately and
completely due to program error or bugs.
· Output: Is not complete and accurate due to program error or bugs and is
distributed to unauthorized personnel due to weak access control.
· Data: Master data and transaction data may be changed by unauthorized
personnel due to weak access control.
· Infrastructure (facility): All data & programs could be lost if there is no proper
backup in the event of a disaster and the business could come to a standstill.
:9:
J.K.SHAH CLASSES INTER C.A. – I.T.
· Financial: Risk that could result in a negative financial impact to the
organization (waste or loss of assets).
· Regulatory (Compliance): Risk that could expose the organization to fines and
penalties from a regulatory agency due to non-compliance with laws and
regulations.
· Reputational: Risk that could expose the organization to negative publicity.
· Operational: Risk that could prevent the organization from operating in the
most effective and efficient manner.
Example - Purchase to Pay: Given below is a simple example of controls for the
Purchase to Pay cycle, which is broken down to four main components as shown in
the Fig.
· Purchases: When an employee working in a specific department (i.e.,
marketing, operations, sales, etc.) wants to purchase something required for
: 10 :
J.K.SHAH CLASSES INTER C.A. – I.T.
carrying out the job, he/she will submit a Purchase Requisition (PR) to a
manager for approval. Based on the approved PR a Purchase Order (PO) is
raised. The PO may be raised manually and then input into the computer system
or raised directly by the computer system.
· Goods Receipt: The PO is then sent to the vendor, who will deliver the goods as
per the specifications mentioned in the PO. When the goods are received at the
warehouse, the receiving staff checks the delivery note, PO number etc. and
acknowledges the receipt of the material. Quantity and quality are checked and
any unfit items are rejected and sent back to the vendor. A Goods Receipt Note
(GRN) is raised indicating the quantity received. The GRN may be raised
manually and then input into the computer system or raised directly by the
computer system.
INVOICE
PURCHASES GOODS RECEIPT PAYMENT
PROCESSING
: 11 :
J.K.SHAH CLASSES INTER C.A. – I.T.
An Internal Control System:
· Facilitates the effectiveness and efficiency of operations.
· Helps ensure the reliability of internal and external financial reporting.
· Assists compliance with applicable laws and regulations.
· Helps safeguarding the assets of the entity.
The extent and nature of the risks to internal control vary depending on the nature
and characteristics of the entity’s information system. The entity responds to the risks
arising from the use of IT or from use of manual elements in internal control by
establishing effective controls considering the characteristics of the entity’s information
system.
SA 315 explains the five components of any internal control as they relate to a
financial statement audit. The five components are as follows:
· Control Environment
· Risk Assessment
· Control Activities
· Information and Communication
· Monitoring of Controls
I. Control Environment
The Control Environment is the set of standards, processes, and structures that
provide the basis for carrying out internal control across the organization. The board of
directors and senior management establish the tone at the top regarding the
importance of internal control, including expected standards of conduct.
The control environment is manifested in management’s operating style, the
ways authority and responsibility are assigned, the functional method of the audit
committee, the methods used to plan and monitor performance and so on.
Control includes,
Segregation of Duties (SOD) is the process of assigning different people the
responsibilities of authorizing transactions, recording transactions, and maintaining
custody of assets. Segregation of duties is intended to reduce errors or fraud in the
normal course of the person’s duties.
: 12 :
J.K.SHAH CLASSES INTER C.A. – I.T.
General Controls include controls over information technology management,
information technology infrastructure, security management and software acquisition,
development and maintenance.
Application Controls are designed to ensure completeness, accuracy, authorization
and validity of data capture and transaction processing.
V. Monitoring of Controls
Ongoing evaluations, separate evaluations, or some combination of the two are used
to ascertain whether each of the five components of internal control present and
functioning. Findings are evaluated against management’s criteria and deficiencies are
communicated to management and the board of directors as appropriate.
: 13 :
J.K.SHAH CLASSES INTER C.A. – I.T.
I. Flowcharting Symbols
: 14 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Clarify who or what performs each step.
Lamp doesn’t work
Yes
Bulb Yes
Replace bulb
burned out?
No
Repair lamp
Simple Flowchart
: 15 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Example 1: Draw a Flowchart for finding the sum of first 100 odd numbers.
Solution : The flowchart is drawn as Fig. 1.7.3 and is explained step by step below. The
step numbers are shown in the flowchart in circles and as such are not a part of the
flowchart but only a referencing device.
Our purpose is to find the sum of the series 1, 3, 5, 7, 9,…………………….(100 terms.) The
student can verify that the 100th term would be 199. We propose to set A = 1 and then go
on incrementing it by 2 so that it holds the various terms of the series in turn. B is an
accumulator in the sense that A is added to B whenever A is incremented. Thus, B will hold:
1
1+3=4
4 + 5 = 9,
9 + 7 = 16, etc. in turn.
Step 1 - All working locations are set at zero. This is necessary because if they are holding
some data of the previous program, that data is liable to corrupt the result of the flowchart.
Step 2 - A is set at 1 so that subsequently by incrementing it successively by 2, we get the
wanted odd terms: 1,3,5,7 etc.
Step 3 - A is poured into B i.e., added to B. B being 0 at the moment and A being 1, B
becomes 0 + 1 = 1.
Step 4 - Step 4 poses a question. “Has A become 1999” if not, go to step 5, we shall
increment A by 2. So that although at the moment A is 1, it will be made 3 in step 5, and so
on. Then go back to step 3 by forming loop.
START
1
CLEAR WORKING
LOCATIONS
SET
2
A=1
B=B+A 3
NO
?
4
A = 199
YES
5
PRINT B 6
A=A+2
END
: 16 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Example 2
An E-commerce site has the following cash back offers.
(i) If the purchase mode is via website, an initial discount of 10% is given on the bill
amount.
(ii) If the purchase mode is via phone app, an initial discount of 20% is given on the bill
amount.
(iii) If done via any other purchase mode, the customer is not eligible for any discount.
Every purchase eligible to discount is given 10 reward points.
(a) If the reward points are between 100 and 200 points, the customer is eligible for a
further 30% discount on the bill amount after initial discount.
(b) If the reward points exceed 200 points, the customer is eligible for a further 40%
discount on the bill amount after initial discount.
Taking purchase mode, bill amount and number of purchases as input; draw a
flowchart to calculate and display the total reward points and total bill amount payable
by the customer after all the discount calculation.
Solution
Refer Fig. 1.7.4, let us define the variables first:
PM: Purchase Mode BA: Bill Amount TBA: Total Bilk Amount
NOP: Number of Purchases TRP: Total Reward Points IN DISC: Initial Discount
ET_DISC: Extra Discount on purchases eligible to Initial Discount
N: Counter (to track the no. of purchases),
: 17 :
J.K.SHAH CLASSES INTER C.A. – I.T.
20. Explain data flow diagrams.
· Data Flow Diagram (DFD) is a graphical representation of the flow of data
through a business process and information system.
· It represents the flow of data from source to destination.
· DFD is a graphical representation for logical flow of data. It helps in expressing
system logics in a simple and easy to understand form.
DFD basically provides an overview of:
· What data a system processes;
· What transformations are performed;
· What data are stored;
· What results are produced and where they flow.
It is mainly used by technical staff for graphically communicating between
systems
analysts and programmers.
Library database
Simple DFD (Example)
· The book is represented as an external entity and the input is the bar code.
· The process is the scanning of the bar code and giving an output of the Book ID.
· The next process calculates the fine based on accessing the “library database” and
establishing the “due back” date.
· Finally, the fine is communicated to the borrower who is also shown as an external
entity.
: 18 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Diagrammatic Representation of Specific Business Processes
I. Customer Order Fulfillment (Refer Fig.)
· The process starts with the customer placing an order and the sales department
creating a sales order.
· The sales order goes through the Credit & Invoicing process to check credit (an
activity) is it OK? (a decision gateway).
· If the customer’s credit check is not OK, you would move to the step “credit
problem addressed” (an activity), followed by a decision “OK?”. If, “No” the order
will be stopped.
· If the customer’s “credit check” response is “yes”, and if stock is available, an
invoice is prepared, goods shipped and an invoice is sent to the customer. If the
stock is not available, the order is passed to “production control” for manufacture
and then shipped to customer with the invoice.
· The process ends with the payment being received from customer.
: 19 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(ii) Order Fulfillment
· Receives orders from SM.
· Checks inventory to establish availability of the product. If the product is
available in stock, transportation is arranged and the product is sent to the
customer.
(iii) Manufacturing
· If the product is not available in stock, this information is sent to the
manufacturing department so that the product is manufactured and subsequently
sent to the customer.
Close the
Create Send to Receive
invoice
Invoice for customer payments
the Orders
: 20 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· If there are no discrepancies, the vendor will raise an internal sales order
within the enterprise.
· The material is then shipped to the address indicated in the PO.
· The Vendor Invoice (VI) is sent to the Accounts Payable department, based
on the address indicated in the PO.
(iv) Stores
· Receives the material.
· Checks the quantity received with the PO and quality with the users. If there
is any discrepancy the vendor is immediately informed.
· The Goods Received Note (GRN) is prepared based on the actual receipt
of material and the stores stock updated. The GRN is then, sent to the
Accounts Payable department for processing the payment.
· A Material Issue Note is created and the material is sent to the concerned
user.
(v) Accounts Payable (AP)
· AP will do a “3-way match” of PO/GRN/Invoice. This is to ensure that the
price, quantity and terms indicated in the Invoice matches with the PO and
the quantity received in the PO matches with the GRN quantity. This check
establishes that what has been ordered has been delivered.
· If there is no discrepancy, the payment voucher is prepared for payment
and the necessary approvals obtained.
· If there is a discrepancy, the Invoice is put “on hold” for further clarification
and subsequently processed.
· Finally, the payment is made to the vendor.
: 21 :
J.K.SHAH CLASSES INTER C.A. – I.T.
: 22 :
J.K.SHAH CLASSES INTER C.A. – I.T.
RISKS AND CONTROLS FOR SPECIFIC BUSINESS PROCESSES
1. Configuration
Configuration refers to the way a software system is set up. Configuration is the
process of defining options that are provided. Configuration will define how software
will function and what menu options are displayed. When the any software is installed,
values for various parameters should be set up (configured) as per policies and
business process work flow and business process rules of the enterprise. The various
modules of the enterprise such as Purchase, Sales, Inventory, Finance, User Access
etc. have to be configured. Some examples of configuration are given below:
· Mapping of accounts to front end transactions like purchase and sales
· Control on parameters: Creation of Customer Type, Vendor Type, year-end
process
· User activation and deactivation
· User Access & privileges - Configuration & its management
· Password Management
2. Masters
· Masters refer to the way various parameters are set up for all modules of
software, like Purchase, Sales, Inventory, Finance etc. These drives how the
software will process relevant transactions.
· The masters are set up first time during installation and these are changed
whenever the business process rules or parameters are changed.
· Examples are Vendor Master, Customer Master, Material Master, Accounts
Master, Employee Master etc.
· Any changes to these data have to be authorised by appropriate personnel and
these are logged and captured in exception reports.
· The way masters are set up will drive the way software will process transactions
of that type. For example: The Customer Master will have the credit limit of the
customer. When an invoice is raised, the system will check against the approved
credit limit and if the amount invoiced is within the credit limit the invoice will be
created if not the invoice will be put on “credit hold” till proper approvals are
obtained.
Some examples of masters are given here:
· Vendor Master: Credit period, vendor bank account details, etc.
· Customer Master: Credit limit, Bill to address, Ship to address, etc.
· Material Master: Material type, Material description, Unit of measure, etc.
· Employee Master: Employee name, designation, salary details, etc.
: 23 :
J.K.SHAH CLASSES INTER C.A. – I.T.
3. Transactions
Transactions refer to the actual transactions entered through menus and functions in
the application software, through which all transactions for specific modules are
initiated, authorized or approved. For example:
· Sales transactions
· Purchase transactions
· Stock transfer transactions
· Journal entries
· Payment transactions
Masters
Risks and Control Objectives (Masters-P2P)
Risk Control Objective
Unauthorized changes to supplier Only valid changes are made to the
master file. supplier master file.
All valid changes to the supplier master All valid changes to the supplier master
file are not input and processed. file are input and processed.
Changes to the supplier master file are Changes to the supplier master file are
not correct. accurate.
Changes to the supplier master file are Changes to the supplier master file are
delayed and not processed in a timely processed in a timely manner.
manner.
Supplier master file data is not up to Supplier master file data remain up to
date. date.
System access to maintain vendor System access to maintain vendor
masters has not been restricted to the masters has been restricted to the
authorized users. authorized users.
Transactions
Risks and Control Objectives (Transactions-P2P)
Risk Control Objective
Unauthorized purchase requisitions are Purchase orders are placed only for
ordered. approved requisitions.
Purchase orders are not entered Purchase orders are accurately entered.
correctly in the system.
Purchase orders issued are not input All purchase orders issued are input and
and processed. processed.
Amounts posted to accounts payable Accounts payable amounts are accurately
are not properly calculated and calculated and recorded.
recorded.
Amounts for goods or services received Amounts for goods or services received
are recorded in the wrong period. are recorded in the appropriate period.
Credit notes and other adjustments are Credit notes and other adjustments are
not accurately calculated and recorded. accurately calculated and recorded.
Credit notes and other adjustments are Credit notes and other adjustments are
recorded in the wrong period. recorded in the appropriate period.
: 24 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Disbursements are made for goods and Disbursements are made only for goods
services that have not been received. and services received.
Disbursements are distributed to Disbursements are distributed to the
unauthorized suppliers. appropriate suppliers.
System access to process transactions System access to process transactions
has not been restricted to the has been restricted to the authorized
authorized users. users.
Masters
Risks and Control Objectives (Masters-02C)
Risk Control Objective
The customer master file is not The customer master file is maintained
maintained properly and the information properly and the information is accurate.
is not accurate.
Invalid changes are made to the Only valid changes are made to the
customer master file. customer master file.
All valid changes to the customer master All valid changes to the customer master
file are not input and processed. file are input and processed.
Changes to the customer master file are Changes to the customer master file are
not accurate accurate.
Changes to the customer master file are Changes to the customer master file are
not processed in a timely manner. processed in a timely manner
Customer master file data is not up-to- Customer master file data is up to date and
date and relevant. relevant.
System access to maintain customer System access to maintain customer
masters has not been restricted to the masters has been restricted to the
authorized users. authorized users.
Transactions
Risks and Control Objectives (Transactions-02C)
Risk Control Objective
Orders are processed exceeding Orders are processed only within
customer credit limits without approvals. approved customer credit limits.
Orders are not approved by Orders are approved by management as
management as to prices and terms of to prices and terms of sale.
sale.
Orders and cancellations of orders are Orders and cancellations of orders are
not input accurately. input accurately.
: 25 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Order entry data are not transferred Order entry data are transferred
completely and’ accurately to the completely and accurately to the shipping
shipping and invoicing activities. and invoicing activities.
All orders received from customers are All orders received from customers are
not input and processed. input and processed.
Invalid & unauthorized orders are input Only valid & authorized orders are input
and processed. and processed.
Invoices are generated using Invoices are generated using authorized
unauthorized terms and prices. terms and prices.
Invoices are not accurately calculated Invoices are accurately calculated and
and recorded. recorded.
Invoices are not recorded in the system. All invoices issued are recorded.
Invoices are recorded in the wrong Invoices are recorded in the appropriate
period. period.
Cash receipts are not recorded in the Cash receipts are recorded in the period
period in which they are received. in which they are received.
Cash receipts data are not entered Cash receipts data are entered for
correctly. processing accurately.
Cash receipts are not entered in the All cash receipts data are entered for
system for processing. processing.
Masters
Risks and Control Objectives (Masters-Inventory)
Risk Control Objective
Invalid changes are made to the Only valid changes are made to the
inventory management master file. inventory management master file.
: 26 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Transactions
Risks and Control Objectives (Transactions-Inventory)
Risk Control Objective
Raw materials are received and Raw materials are received and accepted
accepted without valid purchase orders. only if they have valid purchase orders.
Raw materials received are not Raw materials received are recorded
recorded accurately. accurately.
Raw materials received are not All raw materials received are recorded.
recorded in system.
Defective raw materials are not Defective raw materials are returned
returned promptly to suppliers. promptly to suppliers.
Transfers of raw materials to production All transfers of raw materials to production
are not recorded accurately and are not are recorded accurately and in the
in the appropriate period. appropriate period.
Transfers of completed units of All transfers of completed units of
production to finished goods inventory production to finished goods inventory are
are not recorded completely and recorded completely and accurately in the
accurately and are posted in an appropriate period.
inappropriate period.
Finished goods returned by customers Finished goods returned by customers are
are not recorded completely and recorded completely and accurately in the
accurately and are posted in an appropriate period.
inappropriate period.
Shipments are not recorded in the All shipments are recorded.
system.
Shipments are not recorded accurately. Shipments are recorded accurately.
Costs of shipped inventory are not Costs of shipped inventory are accurately
accurately recorded. recorded.
System access to process inventory System access to process inventory
related [transactions has not been related transactions has been restricted to
restricted to the authorized users. the authorized users.
21. Give two examples each of the Risks and Control Objectives for the following
business processes:
· Procure to Pay
· Order to Cash
· Inventory Cycle
: 27 :
J.K.SHAH CLASSES INTER C.A. – I.T.
3. Career Development: Career development opportunities are essential to keep an
employee engaged with the company over time. This can include professional growth
and training to prepare the employee for more responsible positions with the company.
4. Termination or Transition: Some employees will leave a company through
retirement after a long and successful career. Others will choose to move on to other
opportunities or be laid off. The role of HR in this process is to manage the transition
by ensuring that all policies and procedures are followed, carrying out an exit interview
if that is company policy and removing the employee from the system.
Configuration
Risks and Control Objectives (Configuration-Human Resources)
Risk Control Objective
Employees who have left the company System access to be immediately
continue to have system access. removed when employees leave the
company.
Employees have system access in Employees should be given system
excess of their job requirements. access based on a “need to know” basis
and to perform their job function.
Masters
Risks and Control Objectives (Masters-Human Resources)
Risk Control Objective
Additions to the payroll master files do Additions to the payroll master files
not represent valid employees. represent valid employees.
New employees are not added to the All new employees are added to the
payroll master files. payroll master files.
Terminated employees are not removed Terminated employees are removed from
from the payroll master files. the payroll master files.
Deletions from the payroll master files do Deletions from the payroll master files
not represent valid terminations. represent valid terminations.
Invalid changes are made to the payroll Only valid changes are made to the
master files. payroll master files.
Payroll master file data is not up to date. Payroll master file data remain up to
date.
Payroll is disbursed to inappropriate Payroll is disbursed to appropriate
employees. employees.
System access to process employee System access to process employee
master changes has not been restricted master changes has been restricted to
to the authorized users. the authorized users.
: 28 :
J.K.SHAH CLASSES INTER C.A. – I.T.
2. Registering or Adding an asset: Most of the information needed to set up the asset
for depreciation is available at the time the invoice is entered. Information entered at
this stage could include; acquisition date, placed-in-service date, description, asset
type, cost basis, depreciable basis etc.
3. Adjusting the Assets: Adjustments to existing asset information is often needed to
be made. Events may occur that can change the depreciable basis of an asset.
Further, there may be improvements or repairs made to asset that either adds value to
the asset or extend its economic life.
4. Transferring the Assets: A fixed asset maybe sold or transferred to another
subsidiary, reporting entity, or department within the company. These may result in
changes that impact the asset’s depreciable basis, depreciation, or other asset data.
This needs to be reflected accurately in the fixed assets management system.
5. Depreciating the Assets: Depreciation is an expense which should be periodically
accounted on a company’s books, and allocated to the accounting periods, to match
income and expenses.
6. Disposing the Assets: When a fixed asset is, no longer in use, becomes obsolete, is
beyond repair, the asset is typically disposed. Any difference between the book value,
and realized value, is reported as a gain or loss.
Masters
Risks and Control Objectives (Masters-Fixed Assets)
Risk Control Objective
Invalid changes are made to the fixed Only valid changes are made to the fixed
asset register and/or master file. asset register and/or master file.
Valid changes to the fixed asset register All valid changes to the fixed asset
and/ or master file are not input and register and/or master file are input and
processed. processed.
Changes to the fixed asset register Changes to the fixed asset register and/or
and/or master file are not accurate. master file are accurate.
Changes to the fixed asset register Changes to the fixed asset register and/or
and/or master file are not promptly master file are promptly processed.
processed.
Fixed asset register and/or master file Fixed asset register and/or master file
data are not kept up to date. data remain up to date.
System access to fixed asset master System access to fixed asset master file /
file / system configuration is not system configuration is restricted to the
restricted to the authorized users. authorized users.
Transactions
Risks and Control Objectives (Transactions-Fixed Assets)
Risk Control Objective
Fixed asset acquisitions are not Fixed asset acquisitions are accurately
accurately recorded. recorded.
Fixed asset acquisitions are not recorded Fixed asset acquisitions are recorded in
in the appropriate period. the appropriate period.
Fixed asset acquisitions are not recorded. All fixed asset acquisitions are recorded.
Depreciation charges are not accurately Depreciation charges are accurately
calculated and recorded. calculated and recorded.
Depreciation charges are not recorded in All depreciation-charges are recorded in
the appropriate period. the appropriate period.
: 29 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Fixed asset disposals/transfers are not All fixed asset disposals/transfers are
recorded. recorded.
Fixed asset disposals/transfers are not Fixed asset disposals/transfers are
accurately calculated and recorded. accurately calculated and recorded.
Fixed asset disposals/transfers are not Fixed asset disposals/transfers are
recorded in the appropriate period. recorded in the appropriate period.
System access to process fixed asset System access to process fixed asset
transactions has not been restricted to the transactions has been restricted to the
authorized users. authorized users.
Configuration
Risks and Control Objectives (Configuration-General Ledger)
Risk Control Objective
Unauthorized general ledger entries could Access to general ledger entries is
be passed appropriate and authorized.
System functionality does not exist to System functionality exists to segregate
segregate the posting and approval the posting and approval functions.
functions.
Systems do not generate reports of all Systems generate reports of all recurring
recurring and non recurring journal entries and nonrecurring journal entries for review
for review by management for accuracy. by management for accuracy.
Non standard journal entries are not All non standard journal entries are
tracked and are inappropriate. tracked and are appropriate.
System controls are not in place for System controls are in place for
appropriate approval of write-offs. appropriate approval of write-offs.
Transactions can be recorded outside of Transactions cannot be recorded outside
financial close cutoff requirements. of financial close cutoff requirements.
The sources of all entries are not readily The sources of ail- entries are readily
identifiable. identifiable
Transactions are not rejected, accepted Transactions are rejected, or accepted
and identified, on exception reports in the and identified, on exception reports in the
event of data exceptions. event of data exceptions.
Adding to or deleting general ledger Adding to or deleting general ledger
accounts is not limited to authorized accounts is limited to authorized
accounting department personnel. accounting department personnel.
: 30 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Masters
Risks and Control Objectives (Masters-General Ledger)
Risk Control Objective
General ledger master file change reports General ledger master file change reports
are not generated by the system and are are generated by the system and reviewed
not reviewed as necessary by an individual as necessary by an individual who does
who does not input the changes. not input the changes.
A standard chart of accounts has not been A standard chart of accounts has been
approved by management and is not approved by management and is not
utilized within all entities of the corporation utilized within all entities of the corporation
Transactions
Risks and Control Objectives (Transactions-General Ledger)
Risk Control Objective
General ledger balances are not reconciled General ledger balances reconcile to sub
to sub ledger balances and such ledger balances and such reconciliation are
reconciliation are not reviewed for accuracy reviewed for accuracy and approved by
and not approved by supervisory supervisory personnel.
personnel.
Interrelated balance sheets and income Interrelated balance sheets and income
statement accounts do not undergo statement: accounts undergo automated
automated reconciliation to confirm reconciliation to confirm accuracy of such
accuracy of such accounts. accounts.
Account codes and transaction amounts Account codes and transaction amounts
are not accurate and not complete, and are accurate and complete, with exceptions
exceptions are not reported. reported.
A report of all journal entries completed as A report of all journal entries completed as
part of the closing process is not reviewed part of the closing process is reviewed by
by management to confirm the management to confirm the completeness
completeness and appropriateness of all and appropriateness of all recorded
recorded entries. entries.
Entries booked in the close process are not Entries booked in the close process are
complete and accurate. complete and accurate.
The core to any enterprise’s success is to have an efficient and effective financial
information system to support decision-making and monitoring. The risks, controls and
security of such systems should be clearly understood in order to pass an objective opinion
about the adequacy of control in an IT environment.
22. Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.
: 31 :
J.K.SHAH CLASSES INTER C.A. – I.T.
The Directors’ Responsibility Statement referred to in clause (c) of sub-section (3)
shall state that:
the Directors had taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of this Act for safeguarding the
assets of the company and for preventing and detecting fraud and other irregularities;
the directors, in the case of a listed company, had laid down internal financial controls
to be followed by the company and that such internal financial controls are
adequate and were operating effectively.
Explanation: For the purposes of this clause, the term “internal financial controls”
means the policies and procedures adopted by the company for ensuring the orderly
and efficient conduct of its business, including adherence to company’s policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the
accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information the directors had devised proper systems to ensure
compliance with the provisions of all applicable laws and that such systems were
adequate and operating effectively.
: 32 :
J.K.SHAH CLASSES INTER C.A. – I.T.
The inclusion of the matters relating to internal financial controls in the directors’
responsibility statement is in addition to the requirement for the directors to state that
they have taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of the 2013 Act, for safeguarding
he assets of the company and for preventing and detecting fraud and other
irregularities.
: 33 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Risk Identification
Risk Prioritization
Risk
Management
Risk Reduction
Risk Monitoring
Management selects a risk response strategy for specific risks identified and analysed,
which may include:
(i) Avoidance: Not doing an activity which causes risk.
(ii) Reduction: taking action to reduce the likelihood or impact related to the risk.
(iii) Alternative Actions: deciding and considering other feasible steps to minimize risks.
(iv) Share or Insure: transferring or sharing a portion of the risk, to finance it.
(v) Accept: no action is taken, due to a cost/benefit decision.
: 34 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· The Act throws open the doors for the entry of corporate companies in the
business of being Certifying Authorities for issuing Digital Signatures Certificates.
· The Act now allows Government to issue notification on the web thus heralding
e-governance.
· The Act enables the companies to file any form, application or any other
document with any office, authority, body or agency owned or controlled by the
appropriate Government in electronic form by means of such electronic form as
may be prescribed by the appropriate Government.
· The IT Act also addresses the important issues of security, which are so critical
to the success of electronic transactions.
· The Act has given a legal definition to the concept of secure digital signatures
that would be required to have been passed through a system of a security
procedure, as stipulated by the Government at a later date.
Under the IT Act, 2000, it shall now be possible for corporates to have a statutory
remedy in case if anyone breaks into their computer systems or network and causes
damages or copies data. The remedy provided by the Act is in the form of monetary
damages, not exceeding Rs. 1 crore.
: 35 :
J.K.SHAH CLASSES INTER C.A. – I.T.
III. Privacy
The main principles on data protection and privacy enumerated under the IT Act, 2000
are:
· defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’,
‘addressee’ etc.
· creating civil liability if any person accesses or secures access to computer,
computer system or computer network
· creating criminal liability if any person accesses or secures access to computer,
computer system or computer network
· declaring any computer, computer system or computer network as a protected
system
· imposing penalty for breach of confidentiality and privacy
· setting up of hierarchy of regulatory authorities, namely adjudicating officers, the
Cyber Regulations Appellate Tribunal etc.
: 36 :
J.K.SHAH CLASSES INTER C.A. – I.T.
IV. Cyber crime
The term ‘Cyber Crime’ finds no mention either in The Information Technology Act
2000
or in any legislation of the Country. Cyber Crime is not different than the traditional
crime. The only difference is that in Cyber Crime the computer technology is involved.
This can be explained by the following instance:
· Traditional Theft: ‘A’ thief enters in B’s house and steals an object kept in the
house.
· Hacking: ‘A’ Cyber Criminal sitting in his own house, through his computer hacks
the computer of ‘B’ and steals the data saved in B’s computer without physically
touching the computer or entering in B’s house. Hence Cyber Crime is a
Computer related crime.
The IT Act, 2000 defines the terms access in computer network in section 2(a),
computer in section 2(i), computer network in section (2j), data in section 2(o) and
information in section 2(v). These are all the necessary ingredients that are useful to
technically understand the concept of Cyber Crime.
Definitions
2(a) “Access” with its grammatical variations and cognate expressions means gaining
entry into, instructing or communicating with the logical, arithmetical, or memory
function resources of a computer, computer system or computer network;
(i) “Computer” means any electronic, magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory
functions by manipulations of electronic, magnetic or optical impulses, and
includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a
computer system or computer network;
2(v) “Information” includes data, message, text, images, sound, voice, codes, computer
programmes, software and databases or micro film or computer generated micro fiche;
: 37 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per
the IT Act, Body Corporate is defined as “Any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or
professional activities.”
Definition of Personal and Sensitive Personal data: Rule 2(i) defines personal
information as “information that relates to a natural person which either directly or
indirectly, or combination with other information available or likely to be available with
a body corporate, is capable of identifying such person.”
Rule 3 defines sensitive personal information as:
· Passwords
· Financial information
· Physical/physiological/mental health condition
· Medical records and history; and
· Biometric information
Consent: Rule 5(1) requires that Body Corporate should, prior to collection, obtain consent
in writing through letter or fax or email from the provider of sensitive personal data regarding
the use of that data.
In a context where services are delivered with little or no human interaction, data is
collected through sensors, data is collected on a real time and regular basis, and data is
used and re-used for multiple and differing purposes - it is not practical, and often not
possible, for consent to be obtained through writing, letter, fax,, or email for each instance of
data collection and for each use.
: 38 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Q.1 Draw a flowchart to compute simple interest
Q.3 Draw a flowchart to draw & print discounted amount , where Discount is 5 %
Q.4 Draw a flowchart to calculate & print discounted amount , discount rate is 20 % , if sale
is < 10,000 Or else 30 %
Q.5 Draw a flowchart to calculate Simple Interest, if rate of interest for Indians 10 % and
For others 20 %
Q.6 The goods imported from the foreign countries are classified into four categories for
the purpose of levying custom duty. The rate of custom duty of value of goods for each
category is given below:
1. Electronic items 10
2. Heavy machinery 15
3. Footwear items 20
Draw a flow chart to compute appropriate custom duty including educational cess at
the rate of 3% of the value of custom duty
Cycle is as follows
Model 1 10 Rs per day
Model 2 20 Rs per day
Model 3 30 Rs per day
Where deposit is 25
Q. 8. Draw a Flowchart to compute and print income tax, surcharge and education cess on
the income of a person, where income is to be read from terminal and tax is to be
calculated as per the following rates:
Slab(Rs) Rate
(1) 1 to 1,00,000 No Tax
(2) 1,00,001 to 1,50,000 @10% amt above 1,00,000
(3) 1,50,001 to 2,50,000 Rs 5000 + 20% of amt above 1,50,000
(4) 2,50,001 onwards Rs 25,000 + 30% of Amt above 2,50,000
: 39 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Q. 9. Draw flow chart to compute and print income-tax and surcharge on the income of the
individual, the income is to be read from terminal and tax is to be calculated as per the
following rates:
Up to 50,000 No tax
charge surcharge @5% on the amount of total tax, if the income of a person
exceeds Rs.60,000
Q.11.Draw a flowchart to calculate Simple Interest of 50 customers & calculate total simple
interest of 50 customers
Q.12.A book publisher offers discount to customers on the basis of customer type and
number of copies ordered as shown below
Customer number , name , type , book number , number of copies ordered and unit
price are given as input . Draw a flow chart to calculate the net amount of the bill for
each customer and print it . The above is to be carried out for 50 customers.
Q.13.An electric supply company charges the following rates from its consumers No. of Unit
consumed Charges/unit
(Rs.)
For the first 200 units 2.50
For the next 300 units 3.50
Over 500 units 5.00
: 40 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Computer database of the company has the following information :
1) Consumer name
2) Address
3) Unit consumed
4) Bill Date
5) Payment date
if the consumer pays his bill within 15 days from the bill date,10 % discount is given.
If he makes the payment after 15 days from the bill date,5 % surcharge is levied .
Draw a flow chart to calculate the net amount of the bill for each consumer and print it.
(i) Domestic
(ii) Commercial
(iii) Industry
The charges of electricity per unit consumed by these consumers are Rs.3, Rs.4 and
Rs.5 respectively. The computer Database of the company has the following
information:
The company processes bills according to the following criterion. If the consumer is
domestic and pays bill within 10 days of the bill date 5% discount is given. If he pays
the bill within 15 days, no discount is given. If he makes the payment after 15 days of
the bill date, 10% surcharge is levied.
Q.15. An electric supply company charges the following rates from its consumers
Draw a flowchart to read the consumer no & no of units consumed & print out Total
charges with customer number & units consumed
Q.16.A bicycle shop in a city hires bicycles by the day at different rates for different models
as below
: 41 :
J.K.SHAH CLASSES INTER C.A. – I.T.
In order to attract customers , the shopkeeper gives a discount on the number of days
a bicycle is hired for .The policy of discount is as given below
For every bicycle hired a deposit of Rs.30.00 must be paid. Develop a flow chart to
print out details for each customer such as name of the customer, bicycle model
number, number of days a bicycle is hired for, hire charges , discount and total
charges.
Q.17. A Housing Society in a newly developed Smart City has provided several advanced
security systems to each house in that city. Based on the value of these advanced
security systems installed in each house, the Society has divided all the houses in four
categories and fixed the criteria for annual maintenance charges as under:
- Performance Marks < 70, then increment shall be 10% of present salary.
- 70 ≤ Performance marks < 80, then increment shall be 20% of present salary.
Draw a Flow-Chart to enable to print the details like name of the engineer,
performance marks, monthly increment amount and revised monthly salary for
each of these 50 engineers.
: 42 :
J.K.SHAH CLASSES INTER C.A. – I.T.
CHAPTER-2
FINANCIAL AND ACCOUNTING SYSTEMS
CHAPTER OVERVIEW
· Business Process Modules and Their Integration with Financial & Accounting
Systems
· Business Process Modules and Their Integration with Financial & Accounting
Systems
: 43 :
J.K.SHAH CLASSES INTER C.A. – I.T.
INTRODUCTION
1 What is a System?
· The system is a set of interrelated & interdependent elements or components that
operate together to accomplish common objectives by taking inputs and producing
outputs in an organized manner.
· All systems generally have –
§ Inputs, Outputs and feedback mechanisms,
§ Systems have number of interrelated & interdependent sub-system. No sub-
systems can function in isolation. It depends on other sub-systems for inputs.
§ If one sub-system / component fails, in most of the cases the whole system
doesn’t work.
Every accounting systems stores data in two ways: Master Data and Non-Master Data (or
Transaction Data) as shown.
: 44 :
J.K.SHAH CLASSES INTER C.A. – I.T.
1) Master Data:
· Master data is relatively permanent data that is not expected to change again
and again frequently.
· Master data is generally not typed by the user but it is created by Database
administrator.
· On the basis of Master data, user incorporates transaction data into the system.
· All business process modules must use common master data.
· Master data is selected from the available list of masters (e.g. Ledgers) to
maintain standardization as we need to collect all the transactions relating to
one master data at one place for reporting.
· While inputting the information, user is forced to select master data from the
available list just to avoid confusion while preparing reports. For example -
same ledger name may be written differently.
: 45 :
J.K.SHAH CLASSES INTER C.A. – I.T.
2) Non-Master Data:
· It is a data which is expected to change frequently, again and again and not a
permanent data.
· Non-master data is typed by the user and not selected from available list as it is
a non-permanent and it keeps on changing again and again.
· E.g. Amounts recorded in each transaction shall be different every time and
expected to change again and again. Date recorded in each transaction is
expected to change again and again and will not be constant in all the
transactions.
: 46 :
J.K.SHAH CLASSES INTER C.A. – I.T.
5 Sales Accounting For recording all types of trading sales by any
mode (cash/bank/credit).
6 Purchase Accounting For recording all types of trading purchase by
any mode (cash/bank/credit).
7 Credit Note Accounting For making changes/corrections in already
recorded sales/purchase transactions.
8 Debit Note Accounting For making changes/corrections in already
recorded sales/purchase transactions.
9 Purchase Order Inventory For recording of a purchase order raised on a
vendor.
10 Sales Order Inventory For recording of a sales order received from a
customer.
11 Stock Journal Inventory For recording of physical movement of stock
from one location to another.
12 Physical Stock Inventory For making corrections in stock after physical
counting.
13 Delivery Note Inventory For recording of physical delivery of goods sold
to a customer.
14 Receipt Note Inventory For recording of physical receipt of goods
purchased from a vendor.
15 Memorandum Accounting For recording of transaction which will be in
the system but will not affect the trial balance.
16 Attendance Payroll For recording of attendance of employees.
17 Payroll Payroll For salary calculations.
: 47 :
J.K.SHAH CLASSES INTER C.A. – I.T.
6. Explain Accounting Flow from the angle of software
Transactions
Humans
Voucher Entry
Posting
Balancing Software
Trial Balance
Flow of Accounting
As shown in the Fig. regarding the flow of accounting, in all there are seven steps in
accounting flow, out of which only first two steps require human intervention.
Remaining five steps are mechanical steps and can be performed by software with high
speed and accuracy. Also, last five steps, i.e. Posting, Balancing, Trial Balance
preparation, Profit & Loss Account preparation and Balance Sheet preparation are time
consuming jobs and requires huge efforts.
: 48 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Types of Ledgers
Key Points -
· Basic objective of accounting software is to generate to two primary accounting reports, i.e.
Profit & Loss Account and Balance Sheet. Income and Expense ledgers are considered in
Profit & Loss Account and Asset and Liability ledgers are considered in Balance Sheet. Hence
every ledger is classified in one of the four categories, i.e. Income, Expense, Asset or
Liability.
· Difference between Total Income and Total Expenses, i.e. Profit or Loss as the case may be,
is taken to Balance Sheet. Balance Sheet is the last point in accounting process.
· Any ledger can be categorized in any one category only, i.e. Asset, Liability, Income or
Expense. It cannot be categorized in more than one category.
· Ledger grouping is used for preparation of reports, i.e. Balance Sheet and Profit & Loss
Account.
Accounting software does not recognize any ledger as Personal, Real or Nominal, instead
it recognizes it as an Asset, Liability, Income or Expense Ledger.
: 49 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Technical Concepts in Computerized Financial & Accounting Systems
9. Explain working of any software through ‘Front end’ and ‘back end’ modules
: 50 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· A customer will place an order with waiter (Front End) and not with a cook (Back End)
directly.
· Waiter will receive the order and pass it on to the cook in the kitchen.
· Cook will process the food as per requirement and had it over to the waiter.
· Waiter will serve the food to the customer.
: 51 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Data Security As the data is in physical control of As data is maintained on a web
the user, it cannot be accessed by server, it can be accessed by
unauthorized users. unauthorized users.
Performance A well written installed application As data is picked from web server
shall always be faster than web using internet, speed of operation
application, as data is picked from may be slower.
local server without internet.
Non-Integrated Systems
Above is a typical non-integrated environment where all the departments are working
independently and using their own set of data. They need to communicate with each but
still they use their own data.
This results in two major problems:
a. Communication Gaps
b. Mismatched Data
Communication between different business units is a major aspect for success of any
organization.
: 52 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· An ERP system is based on a common database and a modular software design. The
common database can allow every department of a business to store and retrieve
information in real-time.
· Ideally, the data for the various business functions are integrated. In practice the ERP
system may comprise a set of discrete applications, each maintaining a discrete data
store within one physical database.
· Some of the well-known ERPs in the market today include SAP, Oracle, MFG Pro, MS
Axapta etc.
: 53 :
J.K.SHAH CLASSES INTER C.A. – I.T.
• Projects: Costing, billing, activity management, time and expense, etc.
• Customer Relationship Management (CRM):
§ CRM is a term applied to processes implemented by a company to handle its
contact with its customers.
§ It provides information to management as to the customer requirement,
customer account balance, payment details, types of products etc.
§ Details on any customer contacts can also be stored in the system.
§ The rationale behind this approach is to improve services provided directly to
customers and to use the information in the system for targeted marketing.
• Data Warehouse:
§ Data warehouse is a repository of an organization’s electronically stored data.
§ It is designed to extract relevant data from various databases, load it into
repository for supporting data analysis and provide data reporting.
§ Usually this is a module that can be accessed by an organizations customers,
suppliers and employees.
16. Explain various risks associated and Controls required in ERP Systems
: 54 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Data As there is only one set of data, if Back up arrangement needs to be
Safety this data is lost, whole business very strong. Also strict physical
may come to stand still. control is needed for data.
Speed of As data is maintained centrally, This can be controlled by removing
Operation gradually the data size becomes redundant data on a continuous
more and more and it may reduce basis.
the speed of operation.
Change in As the overall system is integrated, All the processes must be documents
process a small change in process for one carefully in the beginning of
department may require lot of implementation itself so as to avoid
efforts and money. any discomfort in future.
Staff As the overall system is integrated This can be controlled and minimized
Turnover and connected with each other with help of proper staff training
department, it becomes system, having help manuals, having
complicated and difficult to backup plans for staff turnover, etc.
understand. In case of staff
turnover, it becomes increasingly
difficult to maintain the system.
System As everybody is connected to a This can be controlled and minimized
Failure single system and central database, by having proper and updated back
in case of failure of system, the up of data as well as alternate
whole business may come to stand hardware / internet arrangements.
still may get affected badly. In case of failure of primary system,
secondary system may be used.
: 55 :
J.K.SHAH CLASSES INTER C.A. – I.T.
18. Audit of ERP System
Some of the questions auditors should ask during an ERP audit are pretty much the same
as those that should be asked during development and implementation of the system:
• Does the system process according to GAAP (Generally Accepted Accounting
Principles) and GAAS (Generally Accepted Auditing Standards)?
• Does it meet the needs for reporting, whether regulatory or organizational?
• Were adequate user requirements developed through meaningful interaction?
• Does the system protect confidentiality and integrity of information assets?
• Does it have controls to process only authentic, valid, accurate transactions?
• Are effective system operations and support functions provided?
• Are all system resources protected from unauthorized access and use?
• Are user privileges based on what is called “role-based access?”
• Is there an ERP system administrator with clearly defined responsibilities?
• Is the functionality acceptable? Are user requirements met? Are users happy?
• Have workarounds or manual steps been required to meet business needs?
• Are there adequate audit trails and monitoring of user activities?
• Can the system provide management with suitable performance data?
• Are users trained? Do they have complete and current documentation?
• Is there a problem-escalation process?
: 56 :
J.K.SHAH CLASSES INTER C.A. – I.T.
20. Explain Accounting process flow in Accounting Cycle.
(a) Source Document: A document that captures data from transactions and events.
(b) Journal: Transactions are recorded into journals from the source document.
(c) Ledger: Entries are posted to the ledger from the journal.
(d) Trial Balance: Unadjusted trial balance containing totals from all account heads is
prepared.
(e) Adjustments: Appropriate adjustment entries are passed.
(f) Adjusted Trial balance: The trial balance is finalized post adjustments.
(g) Closing Entries: Appropriate entries are passed to transfer accounts to financial
statements.
(h) Financial statement: The accounts are organized into the financial statements.
There are three different nature and types of businesses that are operated with the
purpose of earning profit. Each type of business has distinctive features.
• Trading Business - Trading simply means buying and selling goods without any
modifications, as it is. Hence inventory accounting is a major aspect in this case.
Purchase and sales transactions cover major portion of accounting. This industry
requires accounting as well as inventory modules.
• Manufacturing Business - This type of business includes all aspects of trading
business plus additional aspect of manufacturing. Manufacturing is simply buying
raw material, changing its form and selling it as a part of trading. Here also,
inventory accounting plays a major role. This type of industry requires accounting
: 57 :
J.K.SHAH CLASSES INTER C.A. – I.T.
and complete inventory along with manufacturing module.
• Service Business - This type of business does not have any inventory. It is selling of
skills / knowledge / Efforts / time. E.g. Doctors, Architects, Chartered Accountants,
are the professionals into service business. There may be other type of business
into service, i.e. courier business, security service, etc. This industry does not
require inventory module.
23. Explain Financial Accounting Module & key features of Financial Accounting
Module
This module is the most important module of the overall ERP System and it
connects all the modules to each other. Every module is somehow connected
with module.
Following are the key features of this module:
• Tracking of flow of financial data across the organization in a controlled
manner and integrating all the information for effective strategic decision
making.
• Creation of Organizational Structure (Defining Company, Company Codes,
business Areas, Functional Areas, Credit Control, Assignment of Company
Codes to Credit Controls).
• Financial Accounting Global Settings (Maintenance of Fiscal Year, Posting
Periods, defining Document types, posting keys, Number ranges for
documents).
• General Ledger Accounting (Creation of Chart of Accounts, Account groups,
: 58 :
J.K.SHAH CLASSES INTER C.A. – I.T.
defining data transfer rules, creation of General Ledger Account).
• Tax Configuration & Creation and Maintenance of House of Banks.
• Account Payables (Creation of Vendor Master data and vendor-related
finance attributes like account groups and payment terms).
• Account Receivables (Creation of Customer Master data and customer-
related finance attributes like account groups and payment terms.
• Asset Accounting.
• Integration with Sales and Distribution and Materials Management.
25. Explain Sales & distribution Module & key features of Sales & distribution
Module
: 59 :
J.K.SHAH CLASSES INTER C.A. – I.T.
billings.
In all these processes, multiple modules are involved such as FA (Finance &
Accounting), CO (Controlling), MM (Material Management), PP (Production
Planning), LE (Logistics Execution), etc., which shows the complexity of the
integration involved.
: 60 :
J.K.SHAH CLASSES INTER C.A. – I.T.
• Material Delivery - Material is delivered to the customer as per sales order. All
inventory details are copied from Sales Order to Material Delivery for saving user’s
time and efforts. This transaction shall have a linking with Sales Order. Stock
balance shall be reduced on recording of this transaction.
• Billing - This is a transaction of raising an invoice against the delivery of material to
customer. This transaction shall have a linking with Material Delivery and all the
details shall be copied from it. Stock balance shall not affect again.
• Receipt from Customer - This is a transaction of receiving amount from
customer against sales invoice and shall have a linking with sales invoice.
· This module enhances the work process and data management within HR
department of enterprises. Human resource is the most valuable asset for an
organization. Utilization of this resource in most effective & efficient way is an
important function for any organization.
· The most important objective of master data administration in Human Resources
is to enter employee-related data for administrative, time-recording, and payroll
purposes. This module maintains total employee database including wages &
attendance, preparing wage sheet for workmen, handle provident fund etc.
· The objectives of HR Management is:
§ To ensure least to least disputes,
§ To right utilization of manpower,
§ To keep status and track of employee’s efficiency, and
§ To keep track of leave records of all employees
· It contains skill database of all users with details of qualifications, training,
experience, interests etc. for allocating manpower to right activity at the time of
need.
· It includes various functions such as Recruitment Management, Personnel
administration, Training Management, Attendance Management, Payroll
Management, Promotion Management.
: 61 :
J.K.SHAH CLASSES INTER C.A. – I.T.
29. Write short note on Material Management (MM) Module
: 62 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Issue of material - Material received by stores shall be issued to production department as
per requirement.
· Purchase Invoice - This is a financial transaction. Trial balance is affected due this
transaction. Material Receipt transaction does not affect trial balance. This transaction shall
have a linking with Material Receipt Transaction and all the details of material received shall
be copied automatically in purchase invoice. As stock is increased in Material Receipt
transaction, it will not be increased again after recording of purchase invoice.
· Payment to Vendor - Payment shall be made to vendor based on purchase invoice recorded
earlier. Payment transaction shall have a linking with purchase invoice.
Plan Quality
Quality
Check List
Approved Change
Requests
Perform Integrated Direct & Manage Project
Change Control Execution
: 63 :
J.K.SHAH CLASSES INTER C.A. – I.T.
• Identify quality issues and improvements and changes to be made;
• In case of any change is needed in the product, change requests are sent;
• Report on the overall level of quality achieved; and
• Quality is checked at multiple points, e.g. inwards of goods at warehouse,
manufacturing, procurement, returns.
This is a functional module which handles the maintaining of equipment and enables
efficient planning of production and generation schedules. Plant Maintenance (PM)
application component provides you with a comprehensive software solution for all
maintenance activities that are performed within a company. It supports cost-efficient
maintenance methods, such as risk-based maintenance or preventive maintenance, and
provides comprehensive outage planning and powerful work order management.
This is an integrated project management tool used for planning and managing projects.
It has several tools that enable project management process such as cost and planning
budget, scheduling, requisitioning of materials and services.
Project Request
: 64 :
J.K.SHAH CLASSES INTER C.A. – I.T.
35. Write short note on Supply Chain Module.
: 65 :
J.K.SHAH CLASSES INTER C.A. – I.T.
ensure that the product promotions reach a different and brand new set of
customers, and not only to existing ones who had already purchased product, and
thus effectively increase customer revenue.
• Maximize up-selling and cross-selling: A CRM system allows up-selling which is
the practice of giving customers premium products that fall in the same category
of their purchase. The strategy also facilitates cross selling which is the practice of
offering complementary products to customers, based on their previous
purchases. This is done by interacting with the customers and getting an idea
about their wants, needs, and patterns of purchase. The details thus obtained will
be stored in a central database, which is accessible to all company executives.
• Better internal communication: It helps in building up better communication
within the company. The sharing of customer data between different departments
will enable them to work as a team. This is better than functioning as an isolated
entity, as it will help in increasing the company’s profitability and enabling better
service to customers.
• Optimize marketing: It helps in understanding customer needs and behavior,
thereby allowing to identify the correct time to market your product to the
customers. CRM will also give you an idea about the most profitable customer
groups so that they can be targeted at the right time. In this way, organization will
be able to optimize marketing resources efficiently and avoid wasting time and
resources on less profitable customer groups.
Inventory stands for list of stock items intended for trading or consumption. It includes
raw material, work in process, finished goods and consumables. All the transactions
involving inventory are covered in this module.
: 66 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Inventory Accounting Concepts
S.No. Concept Description
1 Stock Item of stock intended for sale / consumption in normal course of
Item business. E.g. for a person dealing in white goods, TV, Fridge, Air
Conditioner, Cooler, Heater shall be inventory for him.
2 Stock Group used for reporting of similar stock items, e.g. All television of
Group different sizes of one brand are placed under one group for reporting
purpose.
3 Godown Just like physical godown, this is an electronic place for storing stock
items in the software.
4 Unit of A unit for measuring movement of stock items, e.g. kilogram, litre,
measure meter numbers, dozens, boxes, pieces, pairs,, etc. Units of measures
are attached to stock items and not stock groups. Normally a unit of
measure once set cannot be altered after recording of transactions in
a stock item.
5 Re-order It is level of stock set for placing an order for purchase. If stock
Level balance for a stock item touches this level, order for purchase of
goods is to be placed.
6 Price It is pre-decided rate structure for different stock items for different
Levels customers for different quantities. E.g. We may have three different
types of customers as Wholesale, Retail and Government. Three
different selling rates may be applied for these three different types
of customers. Also, there may be a different rate structure depending
on the quantity purchased.
7 Stock Identifying age of stock items and arranging it as per its age. This is
Ageing necessary as “Old is Gold” hardly works in Inventory Management in
today’s ever changing world. As the age of stock item increases, it
becomes increasingly difficult to sell it and possibility of loss increases
day by day.
8 Cost To arrive at the correct value of closing stock and to obtain correct
Tracking data for management decisions, all the costs associated with
procurement of inventory must be tracked and added to inventory
costs. E.g. Purchase cost is recorded through purchase transactions.
But costs like loading/ unloading, transportation, insurance, etc. paid
separately are not recorded in purchase voucher and hence need to
be added to cost of stock items separately. This is possible with cost
tracking.
9 Batch This concept is used in manufacturing of goods. Every batch of
production is given a unique number as a batch number. At the time
of checking stock balance, batch wise stock is identified and
separated for handling purpose. At the time of all movement of
goods, stock is updated along with batch. This is again used for
knowing balance for old and new batches.
10 Expiry This is a concept associated with Batch. This is used for perishable
Dates goods, food items, medicines, etc. At the time of buying or
manufacturing of such goods, expiry date is set. Based on this already
: 67 :
J.K.SHAH CLASSES INTER C.A. – I.T.
set expiry date, position of “expired stock” and “about to expire
stock” is displayed. This information is useful management for taking
inventory related decisions.
39. Explain important points for integration of modules with Financial & Accounting
System
Following points are important for integration of modules with Financial & Accounting
System
• Master data across all the modules must be same and must be shared with other
modules where-ever required.
• Common transaction data must be shared with other modules where-ever
required.
• Separate voucher types to be used for each module for easy identification of
department recording it.
• Figures and transaction may flow across the department, e.g. closing stock value is
taken to Trading Account as well as Balance Sheet. Closing stock quantity is
required by Purchase Department, Stores Department, Accounts Department,
Production Department etc. Hence, it is necessary to design the system
accordingly.
Some of the points where integration with other modules is required are discussed here.
: 68 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(ii) Human Resource Module Integration with Finance & Controlling
Attendance and leave record is used for calculation of salary on monthly basis. Salary is
also a part of financial accounting. Hence salary processed and calculated by Human
Resource Module shall be integrated with Finance & Controlling Module.
: 69 :
J.K.SHAH CLASSES INTER C.A. – I.T.
MANAGEMENT INFORMATION SYSTEMS (MIS)
41. Explain Management Information System (MIS)
· MIS systems automatically collect data from various areas within a business. These
systems can produce daily reports that can be sent to key members throughout the
organization.
· Most MIS systems can also generate on-demand reports. On-demand MIS reports
allow managers and other users of the system to generate an MIS report whenever
they need it.
· It provides various types of sales reports i.e. month wise, quarter wise etc.
· It is user friendly system.
• Relevant - MIS reports need to be specific to the business area they address. This is
important because a report that includes unnecessary information might be
ignored.
• Timely – It provides information to the manager as and when it is required by him.
An example of timely information for your report might be customer phone calls
and emails going back 12 months from the current date.
• Accurate – It should provide accurate information to the manager. Managers and
others who rely on MIS reports can’t make sound decisions with information that is
wrong. Financial information is often required to be accurate to the decimal. In
other cases, it may be OK to round off numbers.
• Structured - Information in an MIS report can be complicated. Making that
information easy to follow helps management understand what the report is saying.
Try to break long passages of information into more readable blocks or chunks and
give these chunks meaningful headings.
: 70 :
J.K.SHAH CLASSES INTER C.A. – I.T.
43. Explain Business Intelligence (BI)
· Bl in simple words refers to the process of collecting and refining information from
many sources, analyzing and presenting the information in useful ways so that
users can make better business decisions.
· Business intelligence (Bl) is a set of theories, methodologies, architectures, and
technologies that transform raw data into meaningful and useful information for
business purposes.
· Bl has been made possible because of advances in a number of technologies, such
as computing power, data storage, computational analytics, reporting and
networking.
· From the perspective of decision making, Bl uses data about yesterday and
today to facilitate making better decisions about tomorrow.
· This is done through arranging information in a manner that best provides
insights into the future thus making enterprise to work smarter.
· Bl enables managers to see things with more clarity, and empowers them to peek
into the possible future.
: 71 :
J.K.SHAH CLASSES INTER C.A. – I.T.
: 72 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Transform, and Load (ETL) procedures in coordination with a data warehouse and then
using one or more reporting tools. While reports can be distributed in print form or via
email, they are typically accessed via a corporate intranet.
Organizations conduct a wide range of reporting, including financial and regulatory
reporting; Environmental, Social, and Governance (ESG) reporting (or sustainability
reporting); and, increasingly, integrated reporting.
Organizations communicate with their stakeholders about:
mission, vision, objectives, and strategy;
governance arrangements and risk management;
financial, social, and environmental performance (how they have fared against
their objectives in practice).
: 73 :
J.K.SHAH CLASSES INTER C.A. – I.T.
46. What is XBRL tagging?
XBRL Tagging is the process by which any financial data is tagged with the most
appropriate element in an accounting taxonomy (a dictionary of accounting terms) that
best represents the data in addition to tags that facilitate identification/classification
(such as enterprise, reporting period, reporting currency, unit of measurement etc.).
Since all XBRL reports use the same taxonomy, numbers associated with the same
element are comparable irrespective of how they are described by those releasing the
financial statements.
Comprehensive definitions and accurate data tags allow preparation, validation,
publication, exchange, consumption; and analysis of business information of all kinds.
Information in reports prepared using the XBRL standard is interchangeable between
different information systems in entirely different organizations. This allows for the
exchange of business information across a reporting chain. People that want to report
information, share information, publish performance information and allow straight
through information processing all rely on XBRL.
47. What is basic purpose of XBRL. Discuss its important features as well.
XBRL is used in many ways, for many different purposes, including by:
(i) Regulators
· Financial regulators that need significant amounts of complex performance
and risk information about the institutions that they regulate.
· Securities regulators and stock exchanges that need to analyze the
performance and compliance of listed companies and securities, and need to
ensure that this information is available to markets to consume and analyze.
· Business registrars that need to receive and make publicly available a range of
corporate data about private and public companies, including annual financial
statements.
· Tax authorities that need financial statements and other compliance
information from companies to process and review their corporate tax affairs.
(ii) Companies
· Companies that need to provide information to one or more of the regulators
mentioned above.
· Enterprises that need to accurately move information around within a complex
group.
: 74 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(iii) Governments
· Government agencies that are simplifying the process of businesses reporting
to government
· Government agencies that are improving government reporting by
standardizing the way that consolidated or transactional reports are prepared
and used within government agencies and/or published into the public
domain.
(vi) Accountants
· Accountants use XBRL in support of clients reporting requirements and are
often involved in the preparation of XBRL reports.
: 75 :
J.K.SHAH CLASSES INTER C.A. – I.T.
APPLICABLE REGULATORY & COMPLIANCE REQUIREMENTS
What is Regulatory Compliance?
In general, Compliance means conforming to a rule, such as a specification, policy,
standard or law. Regulatory Compliance describes the goal that organizations aspire to
achieve in their efforts to ensure that they are aware of and take steps to comply with
relevant laws, policies, and regulations.
Regulatory compliance is an organization’s adherence to laws, regulations, guidelines and
specifications relevant to its business. Violations of regulatory compliance regulations
often result in legal punishment, including interest, penalty and prosecution in some
cases.
By and large we can classify the compliance and regulatory requirements in two types as
under.
a. General - Applicable to all irrespective of anything.
b. Specific - Applicable to specific type of businesses only.
E.g. Income Tax compliance is applicable to all subject to basic exemption limit. But
compliance regarding GST, Labour Law, Company Law, etc. are applicable to specific type
of businesses / entities only.
48. What are the pros and cons of having single software for accounting and tax
compliance.
Pros and Cons of having single software for
Accounting and Tax Compliance
S.No. Particulars Accounting & Tax Compliance Only Tax Compliance
Software Software
1 Ease of Less - as this is integrated system More - as this is used only for
software of accounting and tax one single purpose, i.e. tax
operation compliance, everything compliance, it is less
connected with other and making complicated and bound to be
changes at one place may affect easy.
other aspects also.
: 76 :
J.K.SHAH CLASSES INTER C.A. – I.T.
2 Features Less - as this system is not an More - as this is an exclusive
and facilities exclusive system for tax and specifically designed
compliance, it may have limited system for tax compliance,
features for tax compliance. naturally more features and
facilities shall exist in this
system.
3 Time and Less - as this is an integrated More - as this is a separate
efforts system, time required to transfer software, data from
required data to compliance software is accounting software need to
zero. put in this for preparation of
returns. This may take extra
time and efforts.
4 Accuracy More - As this is an integrated Less - as there are two
Cost system and hence accounting separate system, reconci-
data and tax compliance data liation with accounting data is
shall always be same. No need to needed, possibility of
transfer data to compliance mismatch of data is always
software and reconcile the data. there.
5 More - if tax compliance feature Less - as this is specific
is not available in accounting purpose software, there shall
system, getting it customized be less complications and the
may require some amount of cost cost also shall be less.
which may be higher than buying
separate software.
: 77 :
J.K.SHAH CLASSES INTER C.A. – I.T.
CHAPTER 3
INFORMATION SYSTEMS & IT’S COMPONENTS
: 78 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Section 1: Information Systems Components
1. What is Information system
Data:
· Data is a raw fact and can take the form of a number or statement, such as a
date or a measurement, which has no meaning.
Information:
· Processed data is known as information.
· Information is organized and compiled data that has some value to the
receiver or information is data that has been transferred into a meaningful
and useful form for specific purpose.
System:
· The system is a set of mutually related, coordinated elements or components
that operate together to accomplish common objectives by taking inputs and
producing outputs in an organized manner.
Information System:
· It is a combination of people, hardware, software, communication
devices, network and data resources that processes data and generates
information for a specific purpose.
· In other words, Information System is a set of interrelated components working
together to collect, retrieve, process, store and disseminate (distribute)
information for the purpose of achieving objectives such as planning,
coordination, analysis and decision making.
Five activities of Generic System:
: 79 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Systems have number of interrelated & interdependent sub-system. No
sub-systems can function in isolation. It depends on other sub-systems for
inputs.
· If one sub-system / component fails, in most of the cases the whole system
doesn’t work.
· The way a sub-system works with another sub-systems is called as
interaction. The different sub-systems interact with each other to achieve the
goals of the system.
· The work done by individual sub-systems is integrated to achieve the central
goal of the system.
: 80 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Input devices:
Processing devices:
Central Processing Unit (CPU):
· It is like the brain / heart of the computer.
· The CPU is built on a small chip of silicon and it can contain several million
transistors.
· The main function of CPU or Processor is to interpret and execute
Programs stored in memory and coordinates the other hardware devices.
· It consists of three functional units:
§ Control Unit (CU): CU controls the flow of data and instruction to and from
memory, interprets the instruction and controls which tasks to execute
and when.
§ Registers: These are high speed memory / storage units within CPU for
storing small amount of data (mostly 32 or 64 bits). Registers are used as
work area for temporary storage of instructions and data during the
operations of the control and Arithmetical Logical Unit.
: 81 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Accumulators: They store the intermediate results of a processing or can keep
running totals of arithmetic values.
· Address Registers: They can store memory addresses which tell the CPU as to
where in the memory an instruction is located.
· Storage Registers: They can temporarily store data that is being sent to or
coming from the system memory.
· Miscellaneous: These are used for several functions for general purpose.
(Q: What is CPU. What are the three functional units of CPU) (PM)
6. Explain briefly about Memory concept?
Explain about data storage devices.
As the name indicates this type of devices refer to the memory where data and
programs are stored. Various types of memory techniques/devices are given as
follows:
A. Internal memory:
(i) Registers: Registers are internal memory within CPU, which are very
fast and very small.
: 82 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· ROM is provided by manufacturer on motherboard and generally it
is not expandable memory.
C. Virtual Memory:
· Virtual Memory is not an actual Memory, it’s an imaginary memory. It is a
memory technique which helps to execute big size programs with small
size available RAM.
· If a computer lacks the RAM needed to run a Program or operation,
Windows uses virtual memory to compensate.
· Virtual memory combines computer's RAM with temporary space on
the hard disk. When RAM runs low, virtual memory moves data from
RAM to a space called a paging file or segmentation on hard disk.
· Moving data to and from the paging file frees up RAM to complete its
work.
· Thus, Virtual memory is an allocation of hard disk space to help RAM.
(Q. Difference between cache memory and virtual memory Nov 15)
D. Secondary Memory:
· Primary memory storage capacity is limited, expensive and volatile.
Hence, it is necessary to have secondary storage to hold data and
Programmes permanently.
· These memories are known as secondary storage because these
memories are not directly accessible by CPU. Data in these memories
are transferred through RAM or primary memory.
· Some of the commonly used secondary storage devices are – magnetic
tape drives, magnetic disk drives (Hard disks, floppy disks, etc.), optical
disk drives (CDs, DVDs, Blue ray disks etc.)
Characteristics of secondary storage devices:
c) Low cost: The cost of this type of memory is lower compared to register
or RAM.
d) Slow speed: Slower in speed compared to registers or RAM.
7. Explain output devices.
: 83 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ Graphical outputs are digital representations of non-text information such as
drawings, charts, photographs, and animation.
§ Tactile output such as raised line drawings may be useful for some
individuals who are blind.
§ Audio output is any music, speech, or any other sound.
§ Video output consists of images played back at speeds to provide the
appearance of full motion.
· Examples of output devices: Screen, Printer, Speaker etc.
10. Define the term Application Software? Mention briefly the different types of
application software. (PM) (Nov 15)
: 85 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Regular updates: Licensed application software gets regular updates from
the developer for security reasons. Additionally, the developer also regularly
sends personnel to correct any problems that may arise from time to time.
Disadvantages:
· Development is costly: Developing application software designed to meet
specific purposes can prove to be quite costly for user / organization.
· Infection from Malware: If application software is used commonly by many
people and shared online, it carries a highly real threat of infection by a
computer virus or other malicious programs.
12. What are the major areas of computers based applications or
Application areas of Computer based application
1. Inventory Management
(Stores Management)
· The inventory management system is designed with a view to keeping
track of materials in the stores.
· It is used to regulate the following aspects of inventory:
§ Maximum and minimum level of stocks
§ Raising alarm at danger level stock of any material
§ Give timely alerts for re-ordering of materials with optimal re-order
quantity
2. Production (Manufacturing)
· The objective of this subsystem is to optimally deploy men, machines
and materials to maximize production or service.
· The system generates production schedules and schedules of material
requirements
· It monitors the product quality and also helps in overhead cost control
and waste control.
3. Marketing and Sales
· The objective of this subsystem is to maximize sales and ensure
customer satisfaction.
· The marketing system increases the chances of order procurement by
facilitating the marketing of products of the company, and facilitating
creating of new customers and advertising of products.
· The sales department may use the system to keep status and track of
orders and generate bills for the orders executed and delivered to the
customer.
: 86 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Human resource is the most valuable asset for an organization.
Utilization of this resource in most effective and efficient way is an
important function for any enterprise. Human resource management
system aims to achieve the goal of less disputes and right utilization of
manpower.
Data is very crucial resources for an organization and for smooth functioning of
organization it is necessary that this data should be managed very effectively. Like
Banks, Insurance companies, Stock exchanges etc. the data is the key asset and
any loss to data or mismanagement of data may result in economic and reputation
losses.
Data: Data represents the facts and figures such as name, address, age, numbers
etc.
A Database is a collection of related data.
DBMS: A DBMS is a collection of Programs that enables users to create and
maintain a database and facilitates the processes of defining, constructing, and
manipulating databases for various applications.
14. Explain the major objectives of the organization while using DBMS and
operations performed by DBMS?
Hierarchy of Database:
: 87 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· File: This is a collection of Records.
· Record: This is a collection of Fields.
· Field: This is a collection of Characters.
· Characters: These are a collection of Bits.
Q: List four phases of evolution in the Hierarchy of Database modeling (Nov 16)
Features:
a) The hierarchy should be pre-determined and implemented and therefore,
they are fixed in structure and are less flexible than other database
structures.
b) Adhoc queries can’t be made by the managers.
c) If a particular record has to be traced then tracing will start from the root,
continues downwards until the requisite record is located.
a) When the parent node is deleted, all the child nodes get automatically
deleted.
: 88 :
J.K.SHAH CLASSES INTER C.A. – I.T.
c) This feature allows the network model to implement the one-to-one, one-to-
many, many-to-one and the many-to-many relationship types.
Features:
a) It is a modified version of Hierarchical Data model.
b) It is very difficult to develop this type of database structures.
c) It is useful for one to one, one to many, many to many and many to many
record relationships.
d) The relationships should be pre-determined.
19. Explain the Relational Database Model in detail. (PM)
Example:
: 89 :
J.K.SHAH CLASSES INTER C.A. – I.T.
A relational database consists of a set of tables, where each table consists a fixed
collection of columns (also called fields). An indefinite number of rows (or records)
occurs within each table. However, each row must have a unique primary key,
which is a sort of name for that particular bundle of data. Above Figure illustrates
relational database structure. As well as having primary keys, tables typically
have some secondary keys. The secondary keys correspond with primary keys in
other tables. For example, in Figure 2, the BOOKS table has secondary keys
AuthorID and PubID. These, in turn, serve as primary keys for the AUTHORS and
PUBLISHERS tables. The idea here is that every BOOKS row has a distinct ISBN
value, each AUTHORS a unique AuthorID, and each PUBLISHERS a unique
PubID.
As a constraint on the relation between tables, you can state, for example, that for
a row to exist in BOOKS, there must exist a row in PUBLISHERS with the PubID
you want to use in BOOKS. If one publisher can "have" multiple books in this way,
it's called a one-to-many relation. On the other hand, if one author can have
multiple books, and one book can also have multiple authors, it's called a many-to-
many relation. To round things out, you can also define one-to-one relations,
where one primary key must match exactly one secondary key. It is the job of
RDBMSs to enforce just these types of rules.
(Source: www.ibm.com)
Advantages:
a) Highly flexible to Programme and retrieve data.
b) It is much easier to use as it uses SQL (structured query language) serves
as uniform interface for creating and manipulating database.
c) Can handle queries in a more efficient way.
Disadvantages:
a) Storage space requirements are high.
b) Processing efficiency is comparatively low.
c) Requires more processing capacity and memory.
d) Processing can’t be done without establishing the relationships.
20. Explain Object Oriented Database Model in detail. (PM) (Nov 16)
: 90 :
J.K.SHAH CLASSES INTER C.A. – I.T.
a) The object oriented database model is the latest development in database
technology. In this all the elements of database are modeled as objects and
these objects can be linked together to create entire database structure.
b) Objects are predefined set of program code that is used to perform a
specific task. It is based on the concept of objects and their interactions.
c) An Object-oriented database provides a mechanism to store complex
data such as images, audio and video, etc.
d) An object-oriented database management system (OODBMS) helps
programmers to create objects in a programming language, behave as a
database object.
e) Here, new objects can be created or old objects can be modified, reused or
copied.
f) Many engineering applications such as Computer Aided Design (CAD),
Computer Aided Engineering (CAE), Multimedia Systems, Image
Processing Systems and Expert Systems are some of the examples.
21. List out the Advantages and Disadvantages of a DBMS. (PM) (Nov 15)
: 92 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· The Bottom-Up Approach starts by creating small data warehouses, called
data marts, to solve specific business problems. As these data marts are
created, they can be combined into a larger data warehouse.
· The Top-Down Approach suggests that we should start by creating an
enterprise-wide data warehouse and then, as specific business needs are
identified, create smaller data marts from the data warehouse.
Benefits of Data Warehouse
· The process of developing a data warehouse forces an organization to better
understand the data that it is currently collecting and, equally important, what
data is not being collected.
· A data warehouse provides a centralized view of all data being collected across
the enterprise and provides a means for determining data that is inconsistent.
· Once all data is identified together, which help organization to compare present
data with historical data.
· By having a data warehouse, snapshots of data can be taken over time. This
creates a historical record of data, which allows for an analysis of trends.
· A data warehouse provides tools to combine data, which can provide new
information and analysis
24. Explain Data Mining:
· Data Mining is the process of analyzing data to find previously unknown
trends, patterns, and associations to make decisions.
· Generally, data mining is accomplished through automated means against
extremely large data sets, such as a data warehouse.
· Some examples of data mining include:
§ An analysis of sales from a large grocery chain might determine that milk is
purchased more frequently the day after it rains in cities with a population of
less than 50,000
§ A bank may find that loan applicants whose bank accounts show particular
deposit and withdrawal patterns are not good credit risks.
25. Write about computer networks or network links.
· Types of Network:
a) Connection Oriented networks: Where in a connection is first
established and then data is exchanged. Example is telephone
networks. This uses a data communication technique known as
circuit switching.
The following four terms can be considered while transferring data from
Sender to Receiver / Basic issues to be addressed;
: 94 :
J.K.SHAH CLASSES INTER C.A. – I.T.
27. Explain following terms
· Packet:
§ The fundamental unit of data transmitted over the Internet. When a device intends
to send a message to another device (for example, your PC sends a request to
YouTube to open a video), it breaks the message down into smaller pieces, called
packets.
§ Each packet has the sender’s address, the destination address, a sequence
number, and a piece of the overall message to be sent.
· Repeater:
§ A repeater regenerates the signal over the same network before the signal
becomes too weak or corrupted to extend the length to which the signal can be
transmitted over the same network.
§ They do no amplify the signals, however, when the signal becomes weak, they
copy the signal bit by bit and regenerate it at the original strength.
· HUB: Hub is used in LAN for sharing of the network resources such as servers,
LAN workstations, printers, etc.
· Bridges: Bridge is a communications processor that connects numerous Local Area
Networks (LAN). It magnifies the data transmission signal while passing data from
one LAN to another.
· Routers: Router is a communication processor that interconnects networks based
on different rules or protocols. This device also helps to select the best route
(shortest and most reliable route) when there are multiple paths available.
· MAC Address:
§ These are most often assigned by the manufacturer of a Network Interface
Controller (NIC) and are stored in its hardware, such as the card’s read-only
memory.
§ If assigned by the manufacturer, a MAC address usually encodes the
manufacturer’s registered identification number.
· Network topology:
§ The geometrical arrangement of computer resources, remote devices, and
communication facilities is known as network structure or network topology.
§ A network structure determines how one computer in the network can
communicate with other computers.
§ Common topologies are;
o Star Network that involves a central unit with number of terminals tied into
it;
o Bus Network in which a single length of wire, cable, or optical fiber (called
bus) connects several computers;
o Ring Network much like a bus network, except the length of wire, cable, or
optical fiber connects to form a loop; and
o Mesh Network in which each node is connected by a dedicated point to
point link to every node.
· Transmission Mode:
§ It determines the direction of data flow from one system to another system in
a communication network.
§ There are three different transmission modes.
o Simplex: In this mode data is transmitted in one direction only.
: 95 :
J.K.SHAH CLASSES INTER C.A. – I.T.
o Half duplex: It allows data can be transmitted in both the directions but only
one side at a time.
o Full duplex: A full duplex connection can simultaneously transmit and
receive data between two stations.
· Protocols:
§ A protocol is the formal set of rules for error free and reliable data
communications. In a network, there are many devices connected with each other
for exchange of data and information with each other. In order to have a smooth
and correct exchange of information between various connected devices in
network, these devices must adhere to some set of rules and these rules are
known as protocols.
§ Protocols allow heterogeneous computers to talk to each other.
· IP Address:
§ Every device that communicates on the Internet, whether it be a personal
computer, a tablet, a smartphone, or anything else, is assigned a unique
identifying number called an IP (Internet Protocol) address.
§ For example, let’s say the domain wikipedia.org has the IP address of
107.25.196.166.
§ Historically, the IP-address standard used has been IPv4 (version 4), currently the
standard which is in use is IPv6 (version 6)
· Domain Name:
§ A Domain Name is a human-friendly name for a device on the Internet.
§ These names generally consist of a descriptive text followed by the toplevel
domain (TLD).
§ For example, Wikipedia’s domain name is wikipedia.org; Wikipedia describes the
organization and .org is the top-level domain.
§ In this case, the .org TLD is designed for non-profit organizations.
§ Other well- known TLDs include .com, .net, and .gov.
· Packet Switching:
§ When a packet is sent from one device out over the Internet, it does not follow a
straight path to its destination.
§ Instead, it is passed from one router to another across the Internet until it is
reaches its destination.
§ In fact, sometimes two packets from the same message will take different routes.
· Wi-Fi:
§ Wi-Fi is the name of a popular Wireless Networking technology that uses radio
waves to provide wireless high-speed Internet and reliable network connections.
§ It has limited range. A typical wireless access point might have a range of 65 ft.
§ The Wi-Fi Alliance defines Wi-Fi products based on the Institute of Electrical and
Electronics Engineers' (IEEE) 802.11 standards.
: 96 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ One of the primary places where Wi-Fi is being used is in the home.
§ However, with increase in smart phone sales, Wi-Fi hotspot services are being
provided at various public places to provide better customer service.
: 97 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Preventive controls Environmental Managerial Controls
Corrective controls
· Are designed to reduce the impact or correct an error once it has been detected.
· Ex: Cleaning a file detected to contain virus, data backups, stand by server, failover
networks etc. (Business continuity plan)
: 98 :
J.K.SHAH CLASSES INTER C.A. – I.T.
While ideally the organization would like to implement a primary control. Due to various
constraints like technology, cost etc. they may not be able to do so. In such
circumstances it is advisable to implement compensatory controls which can be defined
as “compensatory controls reduce the risk of the original / primary controls not
being in place.” They do not replace the original controls & are not as effective as the
original controls.
Fire Damage:
4. Smoke Detectors
· Smoke detectors are positioned at places above and below the ceiling tiles.
· Upon activation, these detectors should produce an audible alarm and must be linked
to a monitored station {for example a fire station).
Power Spikes:
Water Damage:
13. Some of the other major ways of protecting the installation against water damage are
as follows:
· Wherever possible have waterproof ceilings, walls and floors;
· Ensure an adequate positive drainage system exists;
· Install alarms at strategic points within the installation;
· In flood areas have the installation above the upper floors but not at the top floor;
· Water proofing; and
· Water leakage Alarms.
: 100 :
J.K.SHAH CLASSES INTER C.A. – I.T.
15. Prohibitions Against Eating, Drinking and Smoking within the Information
Processing Facility
· These things should be prohibited from the information processing facility. This
prohibition should be clear, e.g. a sign on the entry door.
16. The major pollutant in a computer installation is dust. Dust caught between the
surfaces of magnetic tape / disk and the reading and writing heads may cause either
permanent damage to data or read/ write errors.
3. Logging on utilities:
· Manual logging:
§ All visitors should be prompted to sign a visitor’s log indicating their name,
company represented, their purpose of visit & person to see.
§ Logging may happen at both the front reception & entrance to the computer
room.
§ A valid & acceptable identification such as driver’s license, business card or
vendor identification tag may also be asked for before gaining entry inside the
company.
· Electronic logging: This feature is a combination of electronic & biometric
security system. The users logging in can be monitored & the unsuccessful
attempts being highlighted.
: 102 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Logical Access Violators are often the same people who exploit physical exposures,
although the skills needed to exploit logical exposures are more technical and complex.
They are mainly:
· Hackers: Hackers try their best to overcome restrictions to prove their ability.
· Employees (authorized or unauthorized);
· IS Personnel: They have easiest to access to computerized information since
they come across to information during discharging their duties. Segregation of
duties and supervision help to reduce the logical access violations;
· Former Employees: should be cautious of former employees who have left the
organization on unfavorable terms;
· End Users; Interested or Educated Outsiders; Competitors; Foreigners; Organized
Criminals; Crackers; Part-time and Temporary Personnel; Vendors and
consultants; and Accidental Ignorant – Violation done unknowingly.
12. What are the different types of Logical access exposures / threats.
1. Technical exposure
Technical exposures include unauthorized implementation or modification of data and
software. Technical exposures include the following:
i) Data Diddling:
Data diddling involves the change of data before or as they are entered into
the system. A limited technical knowledge is required to data diddle and the
worst part with this is that it occurs before computer security can protect data.
v) Worms: (PM)
· A worm is a program that resides into the computer’s memory & replicates
into areas of idle memory.
· Worm systematically occupies idle memory until the memory is exhausted &
the system fails. Limited in damage, as the network traffic they generate
grows so experientially they that can quickly identified & blocked.
· Worm is similar to virus in terms of self replication.
viii) Trapdoors:
· System programmers insert code (in program) which compromises the usual
controls, but only with a positive objective.
· EX: For program debugging – used by developer / maintenance staff.
· These codes are generally removed after the activity. But, when they are not
removed they may become reason for compromise.
They occur in many environments where data can be moved asynchronously across
telecommunication lines. Numerous transmissions must wait for the clearance of the
line before data being transmitted. Data that are waiting to be transmitted are
liable to unauthorized access called asynchronous attack.
i) Data Leakage:
Stealing information from computers by unauthorized copy into external media like
CDS, USB Storage etc. or taking print outs of reports.
ii) Subversive Threats: Subversive attacks can provide intruders with important
information about messages being transmitted and the intruder can manipulate
these messages in many ways.
iii) Piggybacking:
· This is the act of electronically attaching to an authorized telecommunication link /
authorized user through a secured door or through on authorized
telecommunication link.
· Ex: When a user logged into an website an authorized user follows & enters.
After an authorized user has physically entered an information processing facility,
an unauthorized user follows when the door is yet to close.
iv) Wire-tapping:
This involves spying on information being transmitted over telecommunication
network.
· User responsibilities:
§ Password use: Mandatory use of strong passwords to maintain confidentiality.
§ Unattended user equipment: Users should ensure that none of the
equipment under their responsibility is ever left unprotected. They should also
secure their PCs with a password, and should not leave it accessible to others.
: 105 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Ø The call- back device requires the user to enter a password and then the
system breaks the connection.
Ø If the caller is authorized, the call back device dials the caller’s number to
establish a new connection.
Ø This limits access only from authorized terminals or telephone numbers
and prevents an intruder masquerading as a legitimate user.
§ Policy on use of network services: An enterprise wide applicable network /
internet policy should be there. Selection of appropriate services and approval
to access them will be part of this policy.
: 106 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Mobile Computing:
§ Theft of data carried on the disk drives of portable computers is a high risk
factor. Both physical and logical access to these systems is critical.
Information is to be encrypted and access identifications like fingerprint,
eye-iris etc. are necessary security features.
Auditors might choose to factor systems in several different ways. Auditors have found
two ways to be especially useful when conducting information systems audits. These are
discussed below:
(A) Managerial Controls: In this part, we shall examine controls over the managerial
controls that must be performed to ensure the development, implementation,
operation and maintenance of information systems in a planned and
controlled manner in an organization. The controls at this level provide a stable
infrastructure in which information systems can be built, operated, and maintained
on a day-today basis as discussed in following table;
Control
Information IS management has overall responsibility for the planning and control
of all information system activities. It also provides advice to top
Systems
management in relation to long-run policy decision making and
Management translates long-run policies into short-run goals and objectives.
Management
: 107 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Management quality standards.
Security It is responsible for access controls and physical security over the
information systems function.
Administration
(B) Application Controls: These include the programmatic routines within the
application program code. The objective of application controls is to ensure that data
remains complete, accurate and valid during its input, update and storage. The specific
controls could include form design, source document controls, input, processing and
output controls, media identification, movement and library management, data back-up
and recovery, authentication and integrity, legal and regulatory requirements. Any
function or activity that works to ensure the processing accuracy of the application can be
considered an application control. Necessary controls belonging to this category are
discussed in separate headings.
Application Description of Control
Control
Boundary Comprises the components that establish the interface between the
user and the system.
Database Comprises the components that define, add, access, modify, and
delete data in the system.
Output Comprises the components that retrieve and present data to users of
the system.
: 108 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Ø Planning – determining the goals of the information systems function and the means
of achieving these goals;
· Preparing the plan: This involves the following tasks:
§ Recognizing opportunities and problems that confront the organization in
which Information technology and Information systems can be applied cost
effectively;
§ Identifying the resources needed to provide the required information
technology and information systems; and
§ Formulating strategies and tactics for acquiring the needed resources.
· Types of plans: Top management must prepare two types of information systems
plans for the information systems function: a Strategic plan and an Operational
plan. The strategic Plan is the long-run plan covering, say, the next three to five
years of operations whereas the Operational Plan is the short-plan covering, say,
next one to three years of operations.
· Role of a Steering Committee: The steering committee shall comprise of
representatives from all areas of the business, and IT personnel. The committee
would be responsible for the overall direction of IT.
: 109 :
J.K.SHAH CLASSES INTER C.A. – I.T.
System development includes the activities for developing a new system and system
development processes follow the System Development Life Cycle (SDLC) steps.
Thus, system development controls are mainly controls related to SDLC.
4. Program Testing
· All programs must be thoroughly tested before they are implemented.
· The results of the tests are then compared against predetermined results to identify
programming and logic errors.
5. User Test and Acceptance Procedures
· Just before implementation, the individual modules of the system must be tested as a
unified whole.
· A test team comprising user personnel, systems professionals, and internal audit
personnel subjects the system to rigorous testing.
· Once the test team is satisfied that the system meets its stated requirements, the
system is formally accepted by the user departments.
6. Internal Auditor’s Participation
· The internal auditor plays an important role in the control of systems development
activities, particularly in organizations whose users lack technical expertise.
· Auditor’s involvement should be continued throughout all phases of the development
process and into the maintenance phase.
: 110 :
J.K.SHAH CLASSES INTER C.A. – I.T.
during software development or acquisition is to monitor progress against plan and to
ensure software released for production use is authentic, accurate, and complete.
Phase Controls
(iv) Data Resource Management Controls: Many organizations now recognize that
data is a critical resource that must be managed properly and therefore, accordingly,
centralized planning and control are implemented. For data to be managed better users
must be able to share data, data must be available to users when it is needed, in the
location where it is needed, and in the form in which it is needed. Further it must be
possible to modify data fairly easily and the integrity of the data be preserved. If data
repository system is used properly, it can enhance data and application system reliability.
It must be controlled carefully, however, because the consequences are serious if the
data definition is compromised or destroyed. Careful control should be exercised over
the roles by appointing senior, trustworthy persons, separating duties to the extent
possible and maintaining and monitoring logs of the data administrator’s and
database administrator’s activities.
: 111 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Update Controls: These controls restrict update of the database to authorized users
in two ways:
§ By permitting only addition of data to the database; and
§ Allowing users to change or delete existing data.
The reasons for the emergence of Quality assurance in many organizations are as
follows:
· Users are becoming more demanding in terms of the quality of the software they
employ to undertake their work.
· Organizations are undertaking more ambitious information systems projects that
require more stringent quality requirements.
· Organizations are becoming more concerned about their liabilities if they produce
and sell defective software.
· Improving the quality of Information Systems is a part of a worldwide trend among
organizations to improve the quality of the goods and services they sell.
: 112 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Quality Assurance (QA) personnel should work to improve the quality of information
systems produced, implemented, operated, and maintained in an organization. They
perform a monitoring role for management to ensure that –
· Quality goals are established and understood clearly by all stakeholders; and
· Compliance occurs with the standards that are in place to attain quality information
systems.
Some of the major threats and to the security of information systems and their controls
are as discussed following table;
Threat Control
Water Facilities must be designed and sited to mitigate losses from water
damage.
Intrusion
data and
services
Hackers Strong, logical access controls to mitigate losses from the activities
of hackers.
However, in spite of the controls on place, there could be a possibility that a control might
fail. When disaster strikes, it still must be possible to recover operations and mitigate
losses using the last resort controls - A Disaster Recovery Plan (DRP) and Insurance.
: 113 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· DRP: A comprehensive DRP comprise four parts – an Emergency Plan, a Backup
Plan, a Recovery Plan and a Test Plan. The plan lays down the policies, guidelines,
and procedures for all Information System personnel.
· Insurance: Adequate insurance must be able to replace Information Systems assets
and to cover the extra costs associated with restoring normal operations. Policies
usually can be obtained to cover the resources like – Equipment, Facilities, Storage
Media, Valuable Papers and Records etc.
· Network Operations: This includes the proper functioning of network operations and
monitoring the performance of network communication channels, network devices,
and network programs and files. Data may be lost or corrupted through component
failure. The primary components in the communication sub-systems are given as
follows:
§ Communication lines viz. twisted pair, coaxial cables, fiber optics, microwave
and satellite etc.
§ Hardware – ports, modems, multiplexers, switches and concentrators etc.
§ Software – Packet switching software, polling software, data compression
software etc.
Due to component failure, transmission between sender and receiver may be disrupted,
destroyed or corrupted in the communication system.
Application Controls
: 114 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Application controls deal with exposure or risks with the application in terms of input,
processing and output. For example, banking application, railway application needs
controls for error free inputs, processing and outputs.
· Application Controls can be divided into following major categories / types.
§ Boundary Controls,
§ Input Controls,
§ Process Controls,
§ Output Controls,
§ Database Controls,
§ Communication controls
1. Boundary Controls:
§ Boundary Controls establish interface between the user of the system and the
system itself.
§ The major controls of the boundary system are the Access controls. Access
controls are implemented with an access control mechanism and links the
authentic users to the authorized resources they are permitted to access.
§ The access control mechanism has three steps of “identification”,
“authentication” and “authorization” with respect to the access control
policy.
§ Examples of Boundary Control techniques are:
o Cryptography
o Passwords
o Personal Identification Number
o Identification Cards
o Biometric devices
2. Input controls:
· Data collection component of information system is responsible for bringing data into
the system for processing. Input control at this stage ensures that data input is valid,
accurate and complete. Data input can be by either using source document or direct
input (online)
· Input controls are divided into the following broad classes:
§ Source Document Control,
§ Data Coding Controls,
§ Batch controls, and
§ Validation Controls.
: 115 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Source document numbers enable accurate accounting of document usage and
provide an audit trail for tracing transactions through accounting records.
§ Use source documents in sequence: Source documents should be distributed
to the users and used in sequence. This requires the adequate physical security
be maintained over the source document inventory at the user site. When not in
use, documents should be kept under lock and key and access to source
documents should be limited to authorized persons.
§ Periodically audit source documents: Missing source documents should be
identified by reconciling document sequence numbers. Periodically, the auditor
should compare the numbers of documents used to date with those remaining in
inventory plus those voided due to errors. Documents not accounted for should be
reported to management.
Data Coding Controls are required primarily to check two types of errors which can
corrupt a data code and cause processing errors, i.e. the transcription and
transposition errors.
(c) Batch Controls: Batching is the process of grouping together transactions that bear
some type of relationship to each other. Various controls can be exercises over the batch
to prevent or detect errors or irregularities. Two types of batches occur:
• Physical Controls: These controls are groups of transactions that constitute a physical
unit. For example – source documents might be obtained via the email, assembled into
batches, spiked and tied together, and then given to a data-entry clerk to be entered into
an application system at a terminal.
: 116 :
J.K.SHAH CLASSES INTER C.A. – I.T.
• Logical Controls: These are group of transactions bound together on some logical
basis, rather than being physically contiguous. For example - different clerks might use
the same terminal to enter transaction into an application system. Clerks keep control
totals of the transactions into an application system.
Financial totals Grand totals calculated for each field containing money amounts.
Hash totals Grand totals calculated for any code on a document in the batch,
eg., the source document serial numbers can be totaled.
Document/Record Grand totals for the number of documents in record in the batch.
Counts
: 117 :
J.K.SHAH CLASSES INTER C.A. – I.T.
The discounted amount for 5,000 at 10% discounted may be computed twice by
the following different ways:
5,000 — 5,000 x 10/100 = 4,500 or
Next time again at (4500/(100-10))*100 = 5,000
§ Cross Checks: These may be employed to verity fields appearing in different files
to see that the result tally.
3. Processing Controls:
: 118 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Four types of controls that can be used to reduce expected losses from errors and
irregularities associated with Central processors are explained in the Table;
Control Explanation
Timing Controls An operating system might get stuck in an infinite loop. In the absence
of any control, the program will retain use of processor and prevent
other programs from undertaking their work.
(ii) Real Memory Controls: This comprises the fixed amount of primary storage in which
programs or data must reside for them to be executed or referenced by the central
processor. Real memory controls seek to detect and correct errors that occur in memory
and to protect areas of memory assigned to a program from illegal access by another
program.
(iii) Virtual Memory Controls: Virtual Memory exists when the addressable storage
space is larger than the available RAM. To achieve this outcome, a control mechanism
must be in place that maps virtual memory addresses into real memory addresses.
: 119 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ Exception Reports: Exception reports are generated to identify errors in the data
processed. Such exception reports give the transaction code and what is the error
in processing the transaction. For example, while processing a journal entry if only
debit entry was updated and the credit entry was not updated due to the absence
of one of the important fields, then the exception report would detail the
transaction code, and why it was not updated in the database.
4. Output Controls:
· These controls ensure that error free output is delivered to authorized users and in a
secured manner.
· Controls can be for different form of outputs (i.e. for printed and display outputs), and
can be for batch processing and online system.
· Some of the key output controls are:
§ Storage and logging of sensitive, critical forms: Pre-printed stationery should
be stored securely and only authorized persons should be allowed access to
stationery supplies such as negotiable instruments etc.
§ Spooling / queuing section: Spool” is an acronym for Simultaneous Peripherals
Operations Online. This is a process used to ensure that the user is able to
continue working, while the print operation is getting completed. When a file is to
be printed, the operating system stores the data stream to be sent to the printer in
a temporary file on the hard disk. This file is then spooled to the printer as soon as
the printer is ready to accept the data. This intermediate storage of output could
lead to unauthorized disclosure and/ or modification. A queue is the list of
documents waiting to be printed on a particular printer; this should not be subject
to unauthorized modifications.
§ Controls over printing: Outputs should be made on the correct printer. Users
must be trained to select the correct printer and access restrictions may be placed
on the workstations that can be used for printing.
§ Report distribution and collection controls: Distribution of reports should be
made in a secure way to prevent unauthorized disclosure of data. It should be
made immediately after printing to ensure that the time gap between generation
and distribution is reduced. A log should be maintained for reports that were
generated and to whom these were distributed. Uncollected reports should be
stored securely.
§ Retention controls: Retention controls consider the duration for which outputs
should be retained before being destroyed. Various factors ranging from the need
of the output, use of the output, to legislative requirements would affect the
retention period.
: 120 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Ø Sequence check when transaction file update the master file to ensure
correct updation.
Ø Ensure all records in the transaction files a processed: While
processing, the transaction file records mapped to the respective master
file, and the end-of-file of the transaction file with respect to the end-of-file
of the master file is to be ensured.
Ø Ensure every transaction records are processed in correct order.
Ø Maintain a suspense account: When mapping between the master
record to transaction record results in a mismatch due to failure; then
these transactions are maintained in a suspense account. A nonzero
balance of the suspense accounts reflects the errors to be corrected.
6. Communication Controls:
(a) Physical Component Controls: These controls incorporate features that mitigate the
possible effects of exposures. The Table below gives an overview of how physical
components can affect communication subsystem reliability.
Transmission It is a physical path along which a signal can be transmitted
between a sender and a receiver. It is of two types:
Media
• Guided/Bound Media in which the signals are transported along
an enclosed physical path like – Twisted pair, coaxial cable, and
optical fiber.
Modem • Increases the speed with which data can be transmitted over a
communication line.
(b) Line Error Control: Whenever data is transmitted over a communication line, recall
that it can be received in error because of attenuation distortion, or noise that occurs on
the line. These errors must be detected and corrected.
: 121 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Error Detection: The errors can be detected by either using a loop (echo) check or
building some form of redundancy into the message transmitted.
· Error Correction: When line errors have been detected, they must then be corrected
using either forward error correcting codes or backward error correcting codes.
(c) Flow Controls: Flow controls are needed because two nodes in a network can differ
in terms of the rate at which they can send, received, and process data. To ensure
proper communication flow controls are required.
(e) Inter networking Controls: Internetworking is the process of connecting two or more
communication networks together to allow the users of one network to communicate with
the users of other networks. Three types of devices are used to connect networks viz.
Bridge, Router, Gateway as shown in following table;
Device Functions
Bridge A bridge connects similar local area networks (e.g. one token ring
network to another token ring network).
: 122 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Maintenance of Privacy: Audit of Information Systems ensures that data
collected in a business process are adequately guarded and their privacy is
maintained.
· System Effectiveness Objectives: Audit of Information Systems ensures
effectiveness of a system is continuously evaluated by auditing the characteristics
and objective of the system to ascertain that it meets substantial user
requirements.
· System Efficiency Objectives: Control and Audit of Information Systems are
required to optimize the use of various information system resources.
: 123 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· In IS environment, the critical issue is that evidences are not available in physical
form, but are in electronic form. Following is list of actions that auditor needs to
take to address the problems:
§ Use of special audit techniques, referred to as Computer Assisted Audit
Techniques, for documenting evidences.
§ Audit timing can be so planned that auditor is able to validate transactions
as they occur in system.
Any opinion formed by the auditor is subject to inherent limitations of an audit, which
include:
§ The nature of financial reporting;
§ The nature of audit procedures;
§ The need for the audit to be conducted within a reasonable period of time and at a
reasonable cost.
§ The matter of difficulty, time, or cost involved is not in itself a valid basis for the
auditor to omit an audit procedure for which there is no alternative or to be
satisfied with audit evidence that is less than persuasive.
§ Fraud, particularly fraud involving senior management or collusion.
§ The existence and completeness of related party relationships and transactions.
§ The occurrence of non-compliance with laws and regulations.
§ Future events or conditions that may cause an entity to cease to continue as a
going concern.
1. Why there is a need to use Concurrent Audit technique. What are the different
types of it.
Need for Continuous Audit: On line systems process heavy volume of data and leave
very little audit trails. In such cases evidence gathered after date processing is insufficient for
audit purpose. Also it may be difficult to stop the system in order to perform the audit tests.
Hence there is a need to use concurrent audit techniques i.e. continuous monitoring of
the system to collect audit evidence even while data are being processed in live area.
Types of Audit tools: 1) Snapshot, 2) Integrated Test Facility (ITF), 3) System Control Audit
Review File (SCARF), 4) Continuous & Intermittent Simulation (CIS), 5) Audit hooks
Snapshot Technique:
· Examines the way transactions are processed.
· Selected transaction points are marked with a special code that triggers a snapshot i.e.
takes a pictures of transactions as they move through an application system.
· The before image and after image is captured to validate the processing.
: 124 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Auditor reviews the images to ensure that the processing logic is executed properly, its
authenticity, accuracy and completeness.
Working Process:
· Embeds audit modules in a data base manage ment Syste m.
: 125 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Once processing logic / condition programmed, CIS Module exa mine s
selected transacti ons. If found significant, it independently processes the
data simil ar to parallel simulati on.
· Compares the result with that of the d atabase & if variations found, details
are captured in an audit l og.
· If serious discrepanci es found, CIS may prevent DBMS fro m e xecuting the
update process.
Ad va ntage: The advantage of CIS is t hat it does not requi re any modificati on
to the application Software yet provides an onli ne auditing capability.
: 126 :
J.K.SHAH CLASSES INTER C.A. – I.T.
[Q. Explain three major ways by which audit trails can be used to support security
objective. [PM]
: 127 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Sitting and Marking: Auditing building sitting and marking requires attention to
several key factors and features, including:
§ Proximity to hazards: The IS auditor should estimate the building’s distance to
natural and manmade hazards, such as Dams; Rivers, Natural gas and petroleum
pipelines; Flood zones; Military bases.
§ Marking: The IS auditor should inspect the building and surrounding area to see if
building(s) containing information processing equipment identify the organization.
Marking may be visible on the building itself, but also on signs or parking stickers
on vehicles.
· Physical barriers: This includes fencing, walls, barbed/razor wire, bollards, and
crash gates. The IS auditor needs to understand how these are used to control
access to the facility and determine their effectiveness.
· Surveillance: The IS auditor needs to understand how video and human
surveillance are used to control and monitor access. He or she needs to understand
how (and if) video is recorded and reviewed, and if it is effective in preventing or
detecting incidents.
· Guards and dogs: The IS auditor needs to understand the use and effectiveness of
security guards and guard dogs.
· Key-Card systems: The IS auditor needs to understand how key-card systems are
used to control access to the facility like How key-card are issued, to whom it is
issued etc.
: 128 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Shared accounts: The IS auditor should determine if there are any shared user
accounts by more than one person. The principal risk with shared accounts is
the inability to determine accountability for actions performed with the account.
3. Auditing User Access Provisioning: Auditing the user access provisioning process
requires attention to several key activities, including:
· Access request processes: The IS auditor should determine that all user
access request processes are used consistently throughout the organization.
· Access approvals: The IS auditor needs to determine how requests are
approved and by what authority they are approved.
· New employee provisioning: The IS auditor should examine the new
employee provisioning process to see how a new employee’s user accounts
are initially set up.
· Segregation of Duties (SOD): The IS auditor should determine if the
organization makes any effort to identify segregation of duties. This may include
whether there are any SOD procedures in existence and if they are actively
used to make user access request decisions.
· Access reviews: The IS auditor should determine if there are any periodic
access reviews and what aspects of user accounts are reviewed; this may
include termination reviews, internal transfer reviews, SOD reviews, and dormant
account reviews.
: 129 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Centralized access logs: The IS auditor should determine if the organization’s
access logs are centralized or if they are stored on individual systems.
· Access log protection: The auditor needs to determine if access logs can be
altered, destroyed, or attacked to cause the system to stop logging events.
· Access log review: The auditor should determine if access log reviews take
place, who performs them, how issues requiring attention are identified, and what
actions are taken when necessary.
· Access log retention: The IS auditor should determine how long access logs are
retained by the organization and if they are back up.
The major activities that senior management must perform are – Planning, Organizing,
Controlling and Leading (already explained in Chapter – 3). The Role of auditor at each
activity is discussed below:
· Planning: Auditors need to evaluate whether top management has formulated a
high-quality information system’s plan that is appropriate to the needs of an
: 130 :
J.K.SHAH CLASSES INTER C.A. – I.T.
organization or not. A poor-quality information system is ineffective and inefficient
leading to losing of its competitive position.
· Organizing: Auditors should be concerned about how well top management acquires
and manages staff resources for three reasons:
§ The effectiveness of the IS function depends primarily on the quality of its staff.
The IS staff need to remain up to date and motivated in their jobs.
§ Intense competition and high turnover have made acquiring and retaining good
information system staff a complex activity.
§ Staff should have skills set and trustworthy.
· Leading: Generally, the auditors examine variables that often indicate when
motivation problems exist or suggest poor leadership. To verify the same Auditors
may use both formal and informal sources of evidence to evaluate how well top
mangers’ communicate with their staff.
· Controlling: Auditors must evaluate whether top management’s choice to the means
of control over the users of IS services is likely to be effective or not.
Systems Development Management has responsibility for the functions concerned with
analyzing, designing, building, implementing, and maintaining information systems.
Three different types of audits may be conducted during system development process
as discussed as under;
Concurrent Auditors are members of the system development team. They assist
the team in improving the quality of systems development for the
Audit specific system they are building and implementing.
An external auditor is more likely to undertake general audits rather than concurrent or
post-implementation audits of the systems development process. For internal auditors,
management might require that they participate in the development of material
application systems or undertake post-implementation reviews of material application
systems as a matter of course.
Some of the major concerns that an auditor should address under different activities
involved in Programming Management Control Phase are provided in Table as under:
: 131 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Phase Audit Trail
: 132 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Auditors should pay concern to see whether the documentation is maintained
securely and that it is issued only to authorized personnel.
· Auditors can use interviews, observations, and review of documentation to
evaluate -
§ the activities of documentation librarians;
§ how well operations management undertakes the capacity planning and
performance monitoring function;
§ the reliability of outsourcing vendor controls;
§ whether operations management is monitoring compliance with the outsourcing
contract; and
§ Whether operations management regularly assesses the financial viability of
any outsourcing vendors that an organization uses.
2. Input Controls: This maintains the chronology of events from the time data and
instructions are captured and entered into an application system until the time they are
deemed valid and passed onto other subsystems within the application system.
3. Processing Controls: The audit trail maintains the chronology of events from the
time data is received from the input or communication subsystem to the time data is
dispatched to the database, communication, or output subsystems.
4. Output Controls: The audit trail maintains the chronology of events that occur from
the time the content of the output is determined until the time users complete their
disposal of output because it no longer should be retained.
5. Database Controls: The audit trail maintains the chronology of events that occur
either to the database definition or the database itself.
6. Communication Controls: This maintains a chronology of the events from the time a
sender dispatches a message to the time a receiver obtains the message.
: 134 :
J.K.SHAH CLASSES INTER C.A. – I.T.
: 135 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ These organizational changes are usually performed to help an organization meet
new objectives that require new partnerships and teamwork that were less
important before.
· Market conditions: Changes in market positions can cause an organization to realign
its internal structure in order to strengthen itself.
§ For example, if a competitor lowers its prices based on a new sourcing strategy, an
organization may need to respond by changing its organizational structure to put
experienced executives in charge of specific activities.
· Regulation: New regulations may force an organization to change its organizational
structure.
§ For instance, an organization has to appoint some director or officer to comply to
some legal requirement.
· Available talent: When someone leaves the organization (or moves to another
position within the organization), particularly in positions of leadership, a space opens
in the org chart that often cannot be filled right away.
§ Instead, senior management will temporarily change the structure of the
organization by moving the leaderless department under the control of someone
else.
The remainder of this section includes many IT job titles with a short description (not a full
job description by any measure) of the function of that position.
(a) Executive Management: Executive managers are the chief leaders and
policymakers in an organization. They set objectives and work directly with the
organization’s most senior management to help make decisions affecting the future
strategy of the organization.
· CIO (Chief Information Officer): This is the title of the top most leader in a
larger IT organization.
· CTO (Chief Technical Officer): This position is usually responsible for an
organization’s overall technology strategy.
§ Depending upon the purpose of the organization, this position may be
separate from IT.
· CSO (Chief Security Officer): This position is responsible for all aspects of
security, including information security, physical security etc.
· CISO (Chief Information Security Officer): This position is responsible for all
aspects of data-related security.
§ This usually includes incident management, disaster recovery, vulnerability
management, and compliance.
· CPO (Chief Privacy Officer): This position is responsible for the protection and
use of personal information.
§ This position is found in organizations that collect and store sensitive
information for large numbers of persons.
: 137 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ This position may develop technical requirements, program design, and
software test plans.
· Software Developer, Programmer: This position develops application
software.
§ Depending upon the level of experience, persons in this position may also
design programs or applications.
· Software Tester: This position tests programs made by software developers.
: 138 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(f) General Operations
Positions in operations are responsible for day-to-day operational tasks that may
include networks, servers, databases, and applications.
· Operations Manager: This position is responsible for overall operations that are
carried out by others. Responsibilities will include establishing operations shift
schedules.
· Operations Analyst: This position may be responsible for the development of
operational procedures; examining the health of networks, systems, and
databases; setting and monitoring the operations schedule; and maintaining
operations records.
· Controls Analyst: This position is responsible for monitoring batch jobs, data
entry work, and other tasks to make sure that they are operating correctly.
· Systems Operator: This position is responsible for monitoring systems and
networks, performing backup tasks, and other operational tasks.
· Data Entry: This position is responsible for keying batches of data from hard
copy sources.
· Media Librarian: This position is responsible for maintaining and tracking the use
and storage of backup tapes and other media.
: 139 :
J.K.SHAH CLASSES INTER C.A. – I.T.
SEGREGATION OF DUTIES
· Information systems often process large volumes of information that is sometimes
highly valuable or sensitive.
· Measures need to be taken in IT organizations to ensure that individuals do not
possess sufficient privileges to carry out potentially harmful actions on their
own.
· Checks and balances are needed, so that high-value and high- sensitivity activities
involve the coordination of two or more authorized individuals.
· The concept of Segregation of Duties (SOD), also known as separation of
duties, ensures that single individuals do not possess excess privileges that
could result in unauthorized activities such as fraud or the manipulation or
exposure of sensitive data.
· The concept of segregation of duties has been long-established in organization
accounting departments where, for instance, separate individuals or groups are
responsible for the creation of vendors, the request for payments, and the printing
of checks.
: 140 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Periodic reviews: IT or internal audit personnel can periodically review user
access rights to identify whether any segregation of duties issues exist.
§ The access privileges for each worker can be compared against a segregation
of duties control matrix.
When SOD issues are encountered during a segregation of duties review,
management will need to decide hew to mitigate the matter.
The choices for mitigating a SOD issue include;
§ Reduce access privileges: Management can reduce individual user
privileges so that the conflict no longer exists.
§ Introduce a new mitigating control: If management has determined that the
person(s) need to retain privileges that are viewed as a conflict, then new
preventive or detective controls need to be introduced that will prevent or
detect unwanted activities.
§ Examples of mitigating controls include increased logging to record the actions
of personnel, improved exception reporting to identify possible issues, and
external reviews of high-risk controls.
: 141 :
J.K.SHAH CLASSES INTER C.A. – I.T.
CHAPTER 4
E-COMMERCE, M-COMMERCE & EMERGING TECHNOLOGIES
CHAPTER OVERVIEW :
EMERGING TECHNOLOGIES
o Virtualization
o Grid Computing
o Cloud Computing
o Mobile Computing
o Green IT
o BYOD
o Web 3.0
o Artificial Intelligence
o Machine Learning
: 142 :
J.K.SHAH CLASSES INTER C.A. – I.T.
INTRODUCTION TO E-COMMERCE
1. Define E-Commerce.
· E-Commerce: “Sale / Purchase of goods / services through electronic mode is
ecommerce.” This could include the use of technology in the form of Computers,
Desktops, Mobile Applications, etc.
· E-Commerce is the process of doing business electronically. It refers to the use
of technology to enhance the processing of commercial transactions between a
company, its customers and its business partners. It involves the automation of a
variety of Business-To-Business (B2B) and Business-To-Consumer (B2C)
transactions through reliable and secure connections.
· Illustrates the new business model enabled by technology. In this model the link
to consumer and supplier is virtually direct.
: 143 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Payment Cash, cheque, credit card, etc. Credit card, fund transfer,
Cash in Delivery, Payment
Wallets, UPCI application
etc.
Delivery of Instantly Takes time, but now e-
goods commerce websites have
created options of same
day delivery, or delivery
within 4 hours.
3. Benefits of E-Business
E-business benefits individuals, businesses, government and society at large. The major
benefits from e-business are as follows;
A. Benefits to Customer / Individual / User
· Convenience: Every product at the tip of individual’s fingertips on internet.
· Time saving: No. of operations that can be performed both by potential buyers and
sellers increase.
· Various Options: There are several options available for customers which are not
only being easy to compare but are provided by different players in the market.
· Easy to find reviews: There are often reviews about a particular site or product
from the previous customers which provides valuable feedback.
· Coupon and Deals: There are discount coupons and reward points available for
customers to encourage online transaction.
· Anytime Access: Even midnight access to the e commerce platforms is available
which brings in customer suitability.
B. Benefits to Business / Sellers
· Increased Customer Base: Since the number of people getting online is increasing,
which are creating not only new customers but also retaining the old ones.
· Instant Transaction: The transactions of e commerce are based on real time
processes. This has made possible to crack number of deals.
· Provides a dynamic market: Since there are several players, providing a dynamic
market which enhances quality and business.
· Reduction in costs:
§ To buyers from increased competition in procurement as more suppliers are
able to compete in an electronically open marketplace.
§ To suppliers by electronically accessing on-line databases of bid opportunities,
on-line abilities to submit bids, and on-line review of rewards.
§ In overhead costs through uniformity, automation, and large-scale integration of
management processes.
§ Advertising costs.
· Efficiency improvement due to:
§ Reduction in time to complete business transactions, particularly from delivery
to payment.
§ Reduction in errors, time, for information processing by eliminating
requirements for re-entering data.
§ Reduction in inventories and reduction of risk of obsolete inventories as the
demand for goods and services is electronically linked through just-in- time
inventory and integrated manufacturing techniques.
: 144 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(Q.: Explain efficiency improvement due to E-Business.)
· Creation of new markets: This is done through the ability to easily and cheaply
reach potential customers.
· Easier entry into new markets: This is especially into geographically remote
markets, for enterprises regardless of size and location.
· Better quality of goods: As standardized specifications and competition have
increased and improved variety of goods through expanded markets and the ability
to produce customized goods.
· Elimination of Time Delays: Faster time to market as business processes are
linked, thus enabling seamless processing and eliminating time delays.
C. Benefits to Government
· Instrument to fight corruption: In line with Government’s vision, e commerce
provides an important hand to fight corruption.
· Reduction in use of ecologically damaging materials through electronic
coordination of activities and the movement of information rather than physical
objects.
(i) User: This may be individual / organization or anybody using the e-commerce
platforms. As e-commerce, has made procurement easy and simple, just on a click
of button e-commerce vendors needs to ensure that their products are not delivered
to wrong users. In fact, e—commerce vendors selling products like medicine / drugs
need to ensure that such products are not delivered to wrong person/user.
(ii) E-commerce Vendors: This is the organization / entity providing the user,
goods/ services asked for. For example: www.flipkart.com. E-commerce Vendors
further needs to ensure following for better, effective and efficient transaction.
· Suppliers and Supply Chain Management: These being another important
component of the whole operations. For effectiveness, they need to ensure that –
§ They have enough and the right goods suppliers.
§ They (suppliers) financially and operational safe.
: 145 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ Suppliers are able to provide real-time stock inventory.
§ The order to deliver time is very short.
· Warehouse operations: When a product is bought, it is delivered from the
warehouse of e-commerce vendor. This place is where online retailers pick products
from the shelf, pack them as per customer’s specification / pre-decided standards
and prepare those products to be delivered. These operations have become very
critical to the success of the whole ecommerce business.
· Shipping and returns: Shipping is supplementary and complementary to whole
warehouse operations. Fast returns have become Unique Selling Preposition (USP)
for many e-commerce vendors, so these vendors need very effective and efficient
return processing.
· E - Commerce catalogue and product display: Proper display of all products
being sold by vendor including product details, technical specifications, makes for a
better sales conversion ratio. These help customers gauge the products / services
being sold. A good catalogue makes a lot of difference to whole customer
experience.
· Marketing and loyalty programs: Loyalty programs establish a long-term
relationship with customer. The best examples can be customer loyalty programs
being run by airline industry. In airline industry, customer can get good discount /
free tickets based on loyalty points accumulated.
· Showroom and offline purchase: Few e-commerce vendors over period have
realized that their products can be sold fast if customers are able to feel / touch / see
those products. These vendors have opened outlets for customer experience of
their products. For ex: Lens kart
· Different Ordering Methods: These are the way customer can place his/her order,
say Cash on Delivery is today most preferred method.
· Guarantees: The product / service guarantee associated with product / service
being sold. Money back guarantees help generate a security in customer’s mind that
in case of any problems there money shall be safely returned back.
· Privacy Policy: Represents policy adopted by the e-commerce vendor vis-a-vis
customer data / information. E-commerce website must have a privacy policy.
· Security: Represents the security policy adopted by the e-commerce vendors.
Vendor website needs to state that online data used to transact is safe that vendors
is using appropriate security including security systems like SSL (Secure Socket
Layer). This guarantees that the data provided by customer will not fall into the hand
of a hacker while transferring from his / her computer to the web server.
(iii) Technology Infrastructure: The computers, servers, database, mobile apps, digital
libraries, data interchange enabling the e-commerce transactions.
· Computers, Servers and Database
§ These are the backbone for the success of the venture. Big ecommerce
organization invest huge amount of money / time in creating these systems.
§ They store the data / program used to run the whole operation of the
organization.
§ As cloud computing is increasingly being used, many small / mid-sized e-
commerce originations have started using shared infrastructures.
· Mobile Apps
§ Just as with the personal computer, mobile devices such as tablet computers
and smart phones also have operating systems and application software.
: 146 :
J.K.SHAH CLASSES INTER C.A. – I.T.
: 147 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Web portal:
§ This shall provide the interface through which an individual / organization
shall perform e-commerce transactions.
§ Web Portal is the application through which user interacts with the ecommerce
vendor.
§ The front end through which user interacts for an e-commerce transaction.
§ These web portals can be accessed through desktops / laptops / PDA / hand-
held computing devices / mobiles and now through smart TVs also.
§ The simplicity and clarity of content on web portal is directly linked to customer
experience of buying a product online.
· Payment Gateway:
§ The payment mode through which customers shall make payments.
§ Payment gateway represents the way e-commerce / m-commerce vendors
collects their payments. The payment gateway is another critical component of
e-commerce set up.
§ These are the last and most critical part of e-commerce transactions. These
assures seller of receipt of payment from buyer of goods / services from
ecommerce vendors.
§ Presently numerous methods of payments by buyers to sellers are being used,
including Credit / Debit Card Payments, Online bank payments, Vendors own
payment wallet, Third Party Payment wallets, like SBI BUDDY or PAYTM, Cash
on Delivery (COD) and Unified Payments Interface (UPI).
Architecture is a term to define the style of design and method of construction, used
generally for buildings and other physical structures.
In e-commerce, it denotes the way network architectures are build.
E-commerce runs through network-connected systems. Networked systems can have
two types of architecture namely;
(i) Two tier, and
(ii) Three tier.
: 148 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Two Tier Client Server
In a Two-tier network, client (user) sends request to Server and the Server responds
to the request by fetching the data from it. The Two-tier architecture is divided into two
tiers- Presentation Tier and Database Tier.
: 149 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· It create an increased need for network traffic management, server load balancing,
and fault tolerance.
· Current tools are relatively immature and are more complex.
· Maintenance tools are currently inadequate for maintenance.
: 150 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Which Architecture is used?
: 151 :
J.K.SHAH CLASSES INTER C.A. – I.T.
: 152 :
J.K.SHAH CLASSES INTER C.A. – I.T.
WORK FLOW DIAGRAM FOR E-COMMERCE
: 153 :
J.K.SHAH CLASSES INTER C.A. – I.T.
6. What are the risks associated with E-Commerce Transactions that are high as
compared to general Internet activities?
Risk: Risk is possibility of loss. The same may be result of intentional or un-
intentional action by individuals.
Risks associated with e-commerce transactions are high compared to general internet
activities.
These include the following:
· Privacy and Security: Comes in the point of hacking. There are often issues of
security and privacy due to lack of personalized digital access and knowledge.
· Quality issues: There are quality issues raised by customers as the original product
differs from the one that was ordered.
· Delay in goods and Hidden Costs: When goods are ordered from another country,
there are hidden costs enforced by Companies.
· Needs Access to internet and lack of personal touch: The e commerce requires
an internet connection which is extra expensive and lacks personal touch.
· Security and credit card issues: There is cloning possible of credit cards and debit
cards which poses a security threat.
· Infrastructure: There is a greater need of not only digital infrastructure but also
network expansion of roads and railways which remains a substantial challenge in
developing countries.
· Problem of anonymity: There is need to identify and authenticate users in the
virtual global market where anyone can sell to or buy from anyone, anything from
anywhere.
· Repudiation of contract: There is possibility that the electronic transaction in the
form of contract, sale order or purchase by the trading partner or customer maybe
denied.
· Lack of authenticity of transactions: The electronic documents that are
produced during an e-Commerce transaction may not be authentic and reliable.
· Data Loss or theft or duplication: The data transmitted over the Internet may be
lost, duplicated, tampered with.
· Attack from hackers: Web servers used for e-Commerce maybe vulnerable to
hackers.
· Denial of Service: Service to customers may be denied due to non-availability of
system as it may be affected by viruses, e-mail bombs and floods.
· Non-recognition of electronic transactions: E-Commerce transactions, as
electronic records and digital signatures may not be recognized as evidence in
courts of law.
· Problem of piracy: Intellectual property may not be adequately protected when
such property is transacted through e-Commerce.
7. Explain meaning of control and relevance of control in E-business.
Controls are the Policies, Procedures, Practices and Organizational Structures, Designed
to Provide Reasonable Assurance that Business Objectives will be achieved and that
Undesired Events will be Prevented or Detected and Corrected.
For example:
· Company may have a policy to force employees to change their passwords every 30
days.
· A CA firm may not allow office staff access to social sites during office hours.
: 154 :
J.K.SHAH CLASSES INTER C.A. – I.T.
In an e-business environment, controls are necessary for all persons in the chain,
including:
· Users: This is important to ensure that the genuine user is using the e-
commerce/ m-commerce platform.
There is risk if user accounts are hacked and hackers buy products / services.
· Government: Governments across the world and in India have few critical concerns
vis-a-vis electronic transactions, namely:
§ Tax accounting of all products / services sold.
§ All products / services sold are legal.
There have been instances where narcotics drugs have found to be sold and
bought through electronic means.
· Technology Service Providers: These include all other service provider other than
network service provider, for example, cloud computing back-ends, applications
back-ends etc. They are also prone to risk of availability and security.
· Payment Gateways: E-commerce vendors’ business shall run only when their
payment gateways are efficient, effective and fool proof.
For example: All bank in India, allowing on line payments put ads on their websites
“Dos and Don’ts for online payments.”
The more informed your organisation is, the easier it will be to combat online threats
and to carry out risk mitigating measures.
(Q: What are the ways of protecting your e-commerce business from intrusion?)
: 156 :
J.K.SHAH CLASSES INTER C.A. – I.T.
The business and technological environment in which the entities operate are rapidly
changing on account of the E-Commerce platforms on which most of them now
operate. Therefore, it is imperative for the consideration of Cyber Security Risks in the
audit procedures. Risk Assessment is always a very important part and parcel of the
audit procedures.
One of the most important aspects to be kept in mind during the risk assessment
process is giving due consideration to the changing risks in the entity and its
environment due to the ever-evolving technology landscape which can have a potential
impact on the financial statements.
There could be cyber security risks with Direct as well as Indirect impact.
· A Direct Financial Impact could be if the Application at the Company’s Retailers
which contains financial information has weak passwords resulting in harming the
integrity of data.
· An Indirect Operational Impact could be if the sensitive customer information in
the form of Bank Account Numbers, Recipes of Patented products, etc. could be
breached which would result in legal and regulatory actions on the Company on
account of breach of confidential information.
: 157 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Any incidents of cyber security breach which occurred and the actions taken
and controls built in to avoid them from occurring again.
· Annual review by the CIO
· The Entity should have a IT Security Policy circulated to all Employees
detailing the procedures to be adhered to when accessing IT systems/resources
like password security, restricted use of internet, etc.
· Periodical review of access rights to all IT resources to ensure that the access
to the users is commensurate with their functional roles and responsibilities.
· Adequate approvals exist before the access is granted to any IT resources.
· Use of firewalls by the Company to allow internet activity
· All remote access logins are configured for two factor authentication using of
username, password, pin, token, etc.
· Are the backups scheduled properly and timely checked by restoration of data.
The above procedures are even to be considered for the assets not owned by the
Company but where the Company is utilizing services from another service provider
like the Server maintenance and security is outsourced to an outsourced service
provider.
: 158 :
J.K.SHAH CLASSES INTER C.A. – I.T.
6. Payment: Policy guidelines need to be created for the following payment related
issues:
· Mode of payment.
· For which products, specific payment mode shall be there. Organisation
restricts cash on delivery for few consumable products.
1. Income Tax Act, 1961: Income Tax Act, has detailed provisions regarding
taxation of income in India. In respect of e-commerce / m-commerce transactions,
the issue of deciding place of origin transaction for tax purpose is critical.
2. Companies Act, 2013: Companies Act, 2013, regulates the corporate sector. The
law defines all regulatory aspects for companies in India. Most of the merchants in
e-commerce / m-commerce business are companies, both private and public.
3. Foreign Trade (Development and Regulation) Act, 1992: An Act to provide for
the development and regulation of foreign trade by facilitating imports into,
augmenting exports from, India and for matters connected therewith or incidental
thereto. Amazon has recently allowed Indian citizens to purchase from its global
stores. All these shall be regulated through above law.
4. The Factories Act, 1948: Act to regulate working conditions of workers. The act
extends to place of storage as well as transportation. Most of the merchants in e-
commerce / m-commerce business need to comply with provision of the act.
5. The Custom Act, 1962: The act that defines import / export of goods / services
from India and provides for levy of appropriate customs duty. India being a signatory
to General Agreement on Trade and Tariff (GATT) under World Trade Organisation,
cannot levy any custom duty that GATT non-compliant. This one law is subject to
debate across the world. For example: An Indian company downloads software being
sold by a foreign company whether the same shall be chargeable to duty of import.
6. The Goods and Services Tax Act, 2017 (GST): This Act requires each applicable
business, including e-commerce/ m-commerce, to upload each sales and purchase
invoice on one central IT infrastructure, mandating reconciliations of transactions
between business, triggering of tax credits on payments of GST, facilitating filling of e-
returns, etc.
7. Indian Contract Act 1872: The act defines constituents of a valid contract. In case
of e-commerce / m-commerce business it becomes important to define these
constituents.
8. The Competition Act, 2002: Law to regulate practices that may have adverse
effect on competition in India. Competition Commission have been vigilant to ensure
that e-commerce / m-commerce merchants do not engage in predatory practices.
: 159 :
J.K.SHAH CLASSES INTER C.A. – I.T.
10. Consumer Protection Act, 1986: The law to protect consumer rights has been
source of most of litigations for transaction done through e-commerce and m-
commerce.
: 160 :
J.K.SHAH CLASSES INTER C.A. – I.T.
DIGITAL PAYMENTS
· Digital Payment is a way of payment which is made through digital modes.
· In digital payments, payer and payee both use digital modes to send and
receive money.
· It is also called electronic payment.
· No hard cash is involved in the digital payments.
· All the transactions in digital payments are completed online.
· It is an instant and convenient way to make payments.
· New digital payment platforms such as UPI and IMPS are becoming increasingly
popular.
· Using these new platforms, banks have been scaling rapidly.
(i) UPI Apps: Unified Payment Interface (UPI) and retail payment banks are
changing the very face of banking in terms of moving most of banking to digital
platforms using mobiles and apps.
· UPI is a system that powers multiple bank accounts (of participating banks),
several banking services features like fund transfer, and merchant payments in
a single mobile application.
· UPI or unified payment interface is a payment mode which is used to make fund
transfers through the mobile app.
· User can transfer funds between two accounts using UPI apps.
· User must register for mobile banking to use UPI apps.
· User need to download a UPI app and create a UPI ID.
· There are too many good UPI apps available such as BHIM, SBI UPI app, HDFC
UPI app, iMobile, PhonePe app etc.
(iii) Mobile Apps: BHIM (Bharat Interface for Money) is a Mobile App developed
by National Payments Corporation of India (NPCI) based on UPI (Unified
Payment Interface).
· It facilitates e-payments directly through banks and supports all Indian banks
which use that platform.
· It is built on the Immediate Payment Service infrastructure and allows the user to
instantly transfer money between the bank accounts of any two parties.
· BHIM works on all mobile devices and enables users to send or receive money
to other UPI payment addresses by scanning QR code or using account number
with Indian Financial Systems Code (IFSC) code or MMID (Mobile Money
Identifier) Code for users who do not have a UPI-based bank account.
: 161 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(iv) Mobile Wallets: It is defined as virtual wallets that stores payment card
information on a mobile device.
· Mobile Wallets provide a convenient way for a user to make-in-store payments
and can be used that merchants listed with the mobile wallet service providers.
· There are mobile wallets like PayTm, Freecharge, Buddy, MobiKwick etc.
· Some of these are owned by banks and some are owned by private companies.
(i) E-Wallet: E-wallet or mobile wallet is the digital version of physical wallet
with more functionality.
· User can keep his / her money in an -E-wallet and use it when needed.
· Use the E-wallets to recharge phone, pay at various places and send money to
friends.
· If user’s have a smartphone and a stable internet connection, they can use E-
wallets to make payments.
· These E-Wallets also give additional cashback offers.
· Some of the most used E-wallets are State bank buddy, ICICI Pockets,
Freecharge, Paytm etc.
(ii) Cards: Cards are provided by banks to their account holders. These have been
the most used digital payment modes till now. Various types of cards are as
follows:
Credit Cards: A small plastic card issued by a bank, or issuer etc., allowing
the holder to purchase goods or services on credit.
In this mode of payment, the buyer’s cash flow is not immediately
impacted. User of the card makes payment to card issuer at end of billing
cycle which is generally a monthly cycle.
: 162 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(iii) Net Banking: In this mode, the customers log to his / her bank account and
makes payments.
All public sectors, large private sector banks allow net banking facilities to their
customers.
· Easy and convenient: Digital payments are easy and convenient. Person do not
need to take loads of cash with themselves.
· Pay or send money from anywhere: With digital payment modes, one can pay
from anywhere anytime.
· Discounts from taxes: Government has announced many discounts to
encourage digital payments.
User get 0.75% discounts on fuels and 10% discount on insurance premiums of
government insurers.
· Written record: User often forgets to note down his / her spending, or even if
nothing is done it takes a lot of time.
These are automatically recorded in passbook or inside E-Wallet app.
This helps to maintain record, track spending and budget planning.
· Less Risk: Digital payments have less risk if used wisely. If user losses mobile
phone or debit/credit card or Aadhar card, no need to worry a lot. No one can use
anyone else’s money without MPIN, PIN or fingerprint in the case of Aadhar. It is
advised that user should get card blocked, if lost.
· Difficult for a Non-technical person: As most of the digital payment modes are
based on mobile phone, the internet and cards. These modes are somewhat
difficult for non-technical persons such as farmers, workers etc.
· The risk of data theft: There is a big risk of data theft associated with the digital
payment.
Hackers can hack the servers of the bank or the E-Wallet a customer is using and
easily get his/her personal information.
They can use this information to steal money from the customer’s account.
· Overspending: One keeps limited cash in his/her physical wallet and hence thinks
twice before buying anything.
But if digital payment modes are used, one has an access to all his/her money that
can result in overspending.
: 163 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Computing Technologies
Virtualization
1. What do you means by the term Virtualization? Explain Major application
of Virtualization. (Nov 16)
Major applications:
a) Server Consolidation: Virtual machines are used to consolidate many
physical servers into fewer servers, which in turn host virtual machines.
This is also known as “Physical-to-Virtual” or 'P2V' transformation.
b) Disaster Recovery: Virtual machines can be used as "hot standby"
environments for physical production servers. This helps to take over
or shift the load of physical server to virtual server in case of disaster or
shutdown of physical server.
c) Testing and Training: Hardware virtualization also help to act as
training platforms as these provide combination of multiple resources
and without affecting the working of underlying physical resources. This
can be very useful such as in kernel development and operating
system courses.
d) Portable Applications: Portable applications are needed when
running an application from a removable drive, without installing it on
the system's main disk drive.
e) Portable Workspaces: Recent technologies have used virtualization
to create portable workspaces on devices like iPods and USB memory
sticks.
: 164 :
J.K.SHAH CLASSES INTER C.A. – I.T.
computer with the Linux operating system; based software that can be
run on the virtual machine.
§ The basic idea of Hardware virtualization is to consolidate many
small physical servers into one large physical server so that the
processor can be used more effectively. The software that creates a
virtual machine on the host hardware is called a hypervisor or Virtual
Machine Manager. The hypervisor controls the processor, memory
and other components by allowing several different operating systems
to run on the same machine. The operating system running on the
machine will appear to have its own processor, memory and other
components.
Grid Computing
3. What is Grid Computing. What are the possible application areas for
using grid computing. (PM)
(Nov 14)
Grid Computing:
a) This is a computer network in which each computer's resources are
shared with every other computer in the system.
: 165 :
J.K.SHAH CLASSES INTER C.A. – I.T.
b) Processing power, memory and data storage are all community
resources that authorized users can tap into and leverage for specific
tasks.
: 166 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Single sign-on: A user should be authenticated once and they should be able
to acquire resources, use them, and release them and to communicate internally
without any further authentication.
: 167 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Cloud Computing
a) Elasticity and Scalability: Gives us the ability to expand and reduce resources
according to the specific service requirement.
b) Pay-per-Use: We pay for cloud services only when we use them, either for the short
term or for a longer duration.
c) On-demand: Because we invoke cloud services only when we need them, they are
not permanent parts of the IT infrastructure, this is a significant advantage for cloud
use as opposed to internal IT services. With cloud services there is no need to have
dedicated resources waiting to be used, as is the case with internal services.
: 168 :
J.K.SHAH CLASSES INTER C.A. – I.T.
d) Resiliency: The resiliency of a cloud service offering can completely isolate the
failure of server and storage resources from cloud users. Work is migrated to a
different physical resource in the cloud with or without user awareness and
intervention.
e) Multi Tenancy / Sharing: Public cloud service providers often can host the cloud
services for multiple users within the same infrastructure.
f) Workload Movement: This characteristic is related to resiliency and cost
considerations. Here, cloud-computing providers can migrate workloads across
servers both inside the data center and across data centers (even in a different
geographic area). This migration might be necessitated by cost.
9. Advantages of Cloud Computing
· Achieve economies of scale: Volume output or productivity can be increased
even with fewer systems and thereby reduce the cost per unit of a project or
product.
· Globalize the workforce: People worldwide can access the cloud with Internet
connection.
· Streamline business processes: Getting more work done in less time with less
resources are possible.
· Reduce capital costs: Not required to spend huge money on hardware, software,
or licensing fees.
· Pervasive accessibility: Data and applications can be accesses any time
anywhere using any smart computing device, making our life so much easier.
· Monitor projects more effectively: It is feasible to confine within budgetary
allocations and can be ahead of completion cycle times.
· Less personnel training is needed: It takes fewer people to do more work on a
cloud, with a minimal learning curve on hardware and software issues.
· Minimize maintenance and licensing software: As there is no too much of non-
premise computing resources, maintenance becomes simple and updates and
renewals of software systems rely on the cloud vendor or provider.
· Improved flexibility: It is possible to make fast changes in our work environment
without serious issues at stake.
10. Drawbacks of Cloud Computing:
· If Internet connection is lost, the link to the cloud and thereby to the data and
applications is lost.
· Security is a major concern as entire working with data and applications depend on
other cloud vendors or providers.
· Although Cloud computing supports scalability (i.e. quickly scaling up and down
computing resources depending on the need), it does not permit the control on these
resources as these are not owned by the user or customer.
· Depending on the cloud vendor or provide, customers may have to face restrictions
on the availability of applications, operating systems and infrastructure options.
: 169 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Types of clouds
· Cloud architecture typically involves into multiple cloud components
· The cloud computing environment can consist of multiple types of clouds based on
their deployment and usage. Such typical Cloud computing environments, catering
to special requirements, are briefly described as follows:
: 170 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ Further, privacy and organizational autonomy are not possible.
Private Clouds (Can be asked as a separate que: What is private cloud and its
advantages) [PM]
Hybrid Clouds
[PM]
· This is a combination of both at least one private (internal) and at least one public
(external) cloud computing environments.
· The usual method of using the hybrid cloud is to have a private cloud initially, and
then for additional resources, the public cloud is used. The hybrid cloud can be
regarded as a private cloud extended to the public cloud and aims at utilizing the
power of the public cloud by retaining the properties of the private cloud.
Community cloud
· The community cloud is the cloud infrastructure that is provisioned for exclusive use
by a specific community of consumers. It may be owned, managed, and operated
by one or more of the organizations in the community.
· In this, a private cloud is shared between several organizations. This model is
suitable for organizations that cannot afford a private cloud and cannot rely on
the public cloud either.
· Characteristics of Community Clouds are as follows:
§ Collaborative: In this, no single company has full control over the whole cloud.
Hence better cooperation provides better results.
§ Partially Secure: In community cloud where few organizations share the cloud,
so there is a possibility that the data can be leaked from one organization to
another, though it is safe from the external world.
§ Cost Effective: As the complete cloud is being shared by several organizations
or community, not only the responsibility gets shared; the community cloud
becomes cost effective too.
: 172 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Cloud computing is a model that enables the end users to access the shared pool of
resources such as compute, network, storage, database and application as an on
demand service without the need to buy or own it. The services are provided and
managed by the service provider, reducing the management effort from the
end user side. The essential characteristics of the cloud include on-demand, self
service, broad network access, resource pooling, rapid elasticity, and measured
service. The National Institute of Standards and Technology (NIST) defines three
basic service models - Infrastructure as a Service (IaaS), Platform as a Service
(PaaS), and Software as a Service (SaaS).
: 173 :
J.K.SHAH CLASSES INTER C.A. – I.T.
§ Web access: The IaaS model enables the IT users to access infrastructure
resources over the Internet. The IT user need not get physical access to the
servers.
§ Centralized management: The resources distributed across different parts are
controlled from any centralized management console that ensures effective and
effective resource utilization.
§ Highly scalable: Depending on the load, IaaS services can provide the
resources and services. The usage of resources can be increased or decreased
according to the requirements.
§ Shared infrastructure: IaaS follows a one-to-many delivery model and allows
multiple IT users to share the same physical infrastructure and thus ensure
high resource utilization.
§ Metered Services: Services are available on pay per use basis.
: 174 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Since SaaS is delivered as an on-demand service over the Internet, there is no need
to install the software to the end-user’s devices. SaaS services can be accessed
or disconnected at any time based on the end user’s needs.
· SaaS provides users to access large variety of applications over internets that are
hosted on service provider’s infrastructure.
· For example, one can make own word document in Google docs online. Similarly,
one can edit a photo online on pixlr.com, without the need to install the photo editing
software on his/her system.
: 175 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Mobile Computing
a) Mobile Communication:
· Refers to the infrastructure put in place to ensure that seamless and reliable
communication goes on.
· These would include devices such as Protocols, Services, Bandwidth and Portals
necessary to facilitate and support the stated services.
b) Mobile Hardware:
· It includes mobile devices or device components that receive or access the
service of mobility.
· They would range from Portable laptops, Smart phones, Tablet PC's to Personal
Digital Assistants.
· These devices will have receptors that are capable of sensing and receiving signals.
c) Mobile Software:
· It is the actual Program that runs on the mobile hardware.
· This is the engine of that mobile device. In other terms, it is the essential component
that makes the mobile device operates.
· Example: Apple IOS, Google Android, Blackberry Operating system.
14. How Mobile Computing Works.
· The user enters or access data using the application on handheld computing device.
· Using one of several connecting technologies, the new data are transmitted from
handheld to server system where files are updated and the new data are accessible
to other system user.
· Now both systems (handheld and server computer) have the same information and
are in sync.
· The process work the same way starting from the other direction.
Green IT
Meaning:
· Green IT refers to the study and practice of establishing/ using computers and
IT resources in a more efficient and environmentally friendly and responsible
way.
· Computers consume a lot of natural resources, from the raw materials needed to
manufacture them, the power used to run them, and the problems of disposing them
at the end of their life cycle. Green computing is the environmentally responsible use
of these computers and related resources.
: 177 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Recycle:
§ Dispose e-waste according to central, state and local regulations;
§ Discard used or unwanted electronic equipment in a environmentally
responsible manner as computers emit harmful emissions;
§ Manufacturers must offer safe end-of-life recycling options; and
§ Recycle computers through manufacturer’s recycling services.
· Conserve Energy:
§ Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT)
monitors;
§ Use notebook computers rather than desktop computers whenever possible;
§ Use the power-management features to turn off displays after several minutes of
inactivity;
§ Power-down the CPU and all peripherals during extended periods of inactivity;
§ Power-up and power-down energy-intensive peripherals such as laser printers
according to need;
§ Employ alternative energy sources for computing workstations, servers, networks
and data centers; and
§ Adapt more of video conferencing in order to go green and save energy.
· BYOD (Bring Your Own Device) refers to business policy that allows employees to
use their preferred computing devices, like smart phones and laptops for
business purposes.
· It means employees are welcome to use personal devices (laptops, smart phones,
tablets etc.) to connect to the corporate network to access information and
application.
· The BYOD policy has rendered the workspaces flexible, empowering employees to
be mobile and giving them the right to work beyond their required hours.
: 178 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Happy Employees: Employees love to use their own devices when at work. This
also reduces the number of devices an employee has to carry; otherwise he would
be carrying his personal as well as organization provided devices.
· Increased employee efficiency: The efficiency of employees is more when the
employee works on his / her own device. Apart from it employee is not required to
spend much time on training.
· Lower IT budgets: The employees could involve financial savings to the
organization since employees would be using the devices they already possess, thus
reducing the outlay of the organization in providing devices to them.
· Reduces IT support requirement: IT department does not have to provide end
user support and maintenance for all these devices resulting in cost savings.
· Early adoption of new Technologies: Employees are generally proactive in
adoption of new technologies that result in enhanced productivity of employees.
Every business decision is accompanied with a set of threats and this is there with
BYOD program also. A BYOD program that allows access to corporate network, emails,
client data etc. is one of the top security concerns for enterprises. Overall, these risks
can be classified into four areas as outlined below:
1. Network Risks
2. Device Risks
3. Application Risks
· Majority of employees’ phones and smart devices that were connected to the
corporate network weren’t protected by security software.
· With an increase in mobile usage, mobile vulnerabilities have increased
concurrently.
· Organizations are not clear in deciding that ‘who is responsible for device security —
the organization or the user’.
: 179 :
J.K.SHAH CLASSES INTER C.A. – I.T.
4. Implementation Risks
· The effective implementation of the BYOD program should not only cover the
technical issues mentioned above but also mandate the development of a robust
implementation policy.
· Because corporate knowledge and data are key assets of an organization, the
absence of a strong BYOD policy would fail to communicate employee expectations,
thereby increasing the chances of device misuse.
· In addition to this, a weak policy fails to educate the user, thereby increasing
vulnerability to the above mentioned threats.
The term Web 3.0, also known as the Semantic Web, describes sites wherein the
computer generates raw data on their own without direct user interaction. Web 3.0 is
considered as the next logical step in the evolution of the Internet and Web
technologies. For Web 1.0 and Web 2.0; the Internet is confined within the physical
walls of the computer, but as more and more devices such as smartphones, cars
and other household appliances become connected to the web, the Internet will be
omnipresent and could be utilized in the most efficient manner.
Web 3.0 technology uses the “Data Web” Technology, which features the data
records that are publishable and reusable on the web through query able
formats. The Web 3.0 standard also incorporates the latest researches in the
field of artificial intelligence.
To conclude, Web 3.0 helps to achieve a more connected open and intelligent web
applications using the concepts of natural language processing machine learning,
machine reasoning and autonomous agents.
: 180 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Applications: Some of the applications are as follows:
1. All home appliances to be connected and that shall create a virtual home.
a. Home owners can keep track of all activities in house through their hand held
devices.
b. Home security CCTV is also monitored through hand held devices.
Risks: Internet of thing is an evolving phenomenon. The risk listed are those which
are most discussed for IOT today. As technology evolves issues shall crop up. The
risk due to IOT has various facets to it:
: 181 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Above illustrates the big risk IOT may create for individuals.
· Intentional obsolescence of devices: This may happen due to –
§ Companies which want to bring a new product may force users to dump the
old products. This they can do by disabling the operating software of old
product.
Applications:
Artificial Intelligence is being used in the following applications:
§ Autonomous vehicles (such as drones and self-driving cars)
§ Medical diagnosis, in cancer research. Predicting the chances of an individual
getting ill by a disease;
§ Proving mathematical theorems;
§ Playing games (such as Chess or Go), and predicting the outcomes. Say
which number on a lottery ticket may win;
§ Search engines (such as Google search);
§ Online assistants (such as Siri);
Risks:
1. AI relies heavily of data it gets. Incorrect data can lead to incorrect conclusions.
2. AI (robots) carries a security threats. Countries are discussing to have a KILL
button in all AI capable machines. This is important otherwise someday machine
may start controlling humans.
3. AI in long term may kill human skills of thinking the unthinkable. All data shall
be processed in a structured manner, where machines shall provide solution based
on their learning over a period of time. These machines shall not have capability of
thinking out of box.
Controls: The set of controls in AI will be extremely complex because of the nature
of processing of information and must be dealt with based on the nature of the AI
tool and the purpose, etc.
: 182 :
J.K.SHAH CLASSES INTER C.A. – I.T.
25. Explain Machine Learning
Risk: Machine learning being an application based on AI, the nature of risk to it
remain similar to those posed by AI systems.
: 183 :
J.K.SHAH CLASSES INTER C.A. – I.T.
CHAPTER-5
CORE BANKING SYSTEMS
CHAPTER OVERVIEW
Components
Architecture
Risk Assessment and
Working of CBS Risk Management
Process
Related Risks and
CORE
Controls
BANKING
SYSTEMS Banking Services CASA
(CBS)
Credit Cards
: 184 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Core Banking Solution / System (CBS)
Introduction
Some of the major products and services provided and rendered by commercial banks
which constitute core banking services are briefly explained here.
: 185 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Acceptance of Deposits
§ Deposits involve deposits by customers in various schemes for pre-defined
periods.
§ Deposits fuel the growth of banking operations, this is the most important
function of a commercial bank.
§ Commercial banks accept deposits in various forms such as term deposits,
savings bank deposits, current account deposits, recurring deposit, saving-cum-
term deposit and various others innovative products.
· Granting of Advances
§ Advances constitute a major source of lending by commercial banks. The type of
advances such as cash credit, overdrafts, purchase/ discounting of bills, term
loans, etc.
§ Apart from granting traditional facilities, banks also provide facilities like issuance
of commercial papers, ECB (External Commercial Borrowing) on behalf of bank/
borrower, securitization of credit sales, housing loans, educational loans, and car
loans, etc.
· Remittances
§ Remittances involve transfer of funds from one place to another.
§ Two of the most common modes of remittance of funds are demand drafts and
Telegraphic/ Mail Transfers (TT/ MT).
§ Drafts are issued by one branch of the Bank and are payable by another branch
of the Bank. The drafts are handed over to the applicant. In the case of
telegraphic/ mail transfer, no instrument is handed over to the applicant; the
transmission of the instrument is the responsibility of the branch. Generally, the
payee of both the TT and the MT is an account holder of the paying branch.
§ Electronic Funds Transfer is another mode of remittance which facilitates almost
instant transfer of funds between two centers electronically. Most of the banks
have now introduced digital mode of remittance which makes remittance
possible online and on mobile devices directly by the customer in a few clicks.
· Collections
§ Collections involve collecting proceeds on behalf of the customer.
§ Customers can lodge various instruments to the banks for collection such as
cheques, drafts, pay orders, dividend and interest warrants, tax refund orders,
etc. drawn in their favor.
§ Banks also collect instruments issued by post offices, like national savings
certificates, postal orders, etc.
: 186 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Clearing
§ Clearing involves collecting instruments on behalf of customers of bank.
§ The instruments such as cheque, pay order etc. may be payable locally or at an
outside center. The instruments payable locally are collected through clearing
house mechanism, while the instruments payable outside is sent by the Bank to
its branch.
§ Clearing house settles the inter-Bank transactions among the local participating
member banks. There may be separate clearing houses for MICR (Magnetic Ink
Character Recognition) and non-MICR instruments.
§ Electronic Clearing Services (ECS) is used extensively now for clearing. ECS takes
two forms: ECS Credit or ECS Debit.
- In the case of ECS credit, there is a single receiver of funds from a large
number of customers, e.g., public utilities, mutual funds, etc. The beneficiary
(i.e., the receiver of funds) obtains mandate from its customers to withdraw
funds from their specified Bank accounts on a specific date.
- In the case of ECS debit, there is a single account to be debited against which
many accounts with a number of banks in the same clearing house area are
credited. This system is useful for distribution of dividend/ interest, payment
of salaries by large units, etc.
· Credit Cards
§ It is a service provided by bank to customers to enable him to pay to a merchant for
goods and services on credit basis, based on the customer’s promise to the card
issuer to pay to them for the amount so paid.
§ Most credit cards issued by banks are linked to one of the international credit card
networks like VISA, Master, Amex.
: 187 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Debit Cards
§ Debit Cards are issued by the bank where customer is having their account.
§ Debit Cards facilitates customers to pay at any authorized outlet as well as to
withdraw money from an ATM from their account.
§ Debit cards are networked with an inter-bank network. When a debit card is used
for a transaction, the amount is immediately deducted from the customer’s account
balance.
(ii) Multiplicity and complexity of systems: The Technology architecture used for
services could include multiple digital platforms and is quite complex. Hence, this
requires the bank to have personnel with requisite technology skills or the
management of the bank’s technology could be outsourced to a company having
the relevant skill set.
: 188 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(iv) Proper alignment with business objectives and legal/ regulatory requirements:
Banks must ensure that the CBS and allied systems implemented, cater to all the
business objectives and needs of the bank, in addition to the legal/regulatory
requirements envisaged.
: 189 :
J.K.SHAH CLASSES INTER C.A. – I.T.
4. Explain Risk, Risk analysis, Risk Assessment
Risk: The potential harm caused if a threat exploits a particular vulnerability to cause
damage to an asset. For example: inadequate security is a vulnerability which could be
exploited by a hacker.
Risk Analysis: is defined as the process of identifying security risks and determining their
magnitude and impact on an organization. Information systems can generate many direct
and indirect risks.
These risks lead to a gap between the need to protect systems and the degree of
protection applied. The gap is caused by:
§ Widespread use of technology
§ Interconnectivity of systems;
§ Increase in unconventional electronic attacks;
§ Devolution of management and control;
§ External factors such as legislative, legal and regulatory requirements or IT
developments.
Risk Assessment:
Risks are mitigated by implementing risk assessment. This involves the following:
o Identification of threats and vulnerabilities in the system;
o Potential impact or magnitude of harm that a loss of security would have on
enterprise operations or enterprise assets; and
o The identification and analysis of security controls for information systems:
: 190 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(ii) Growing potential for misuse and abuse of information system affecting privacy
and ethical values; and Increasing requirements for availability and robustness.
(iii) Phishing attacks through Internet Banking. Phishing is the attempt to obtain
sensitive information such as usernames, passwords, and credit card details (and,
indirectly, money), often for malicious reasons, by disguising as a trustworthy
entity in an electronic communication.
Risks to Data
· Unauthorized data changes affecting integrity of data;
· Absence of logs and audit trail/ logs;
· Unauthorized transactions;
· Unauthorized entry/ corrections/ deletions;
· Transactions without vouchers;
· Changing data using other’s password;
· Willful and wrong inputs; and
Other IT Risks
· Unauthorized or incorrect Interest rate changes;
· Incorrect Interest computation;
· Incorrect computation of charges;
· Unauthorized increased in credit limits;
: 191 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Payment of stopped cheques;
· Payment of duplicate drafts/ Fixed Deposit Certificates issued; and
· Opening of New accounts without complying with KYC (Know Your Customer)
norms as specified by RBI.
: 192 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Internal Control System in Banks
: 193 :
J.K.SHAH CLASSES INTER C.A. – I.T.
activity for a pre-determined time, the user is automatically, logged- out of the
system.
· Once the end-of-the-day process is over, the ledgers cannot be opened without a
supervisory level password.
IT controls are selected and implemented based on the risks they are designed to
manage. In case of banking industry, risks are all pervasive.
However, the focus in this chapter is not on business related risks of banking but IT
related risks and controls of banking automation.
Apart from the classification of controls already discussed in detail in previous chapter, a
common classification of IT controls is General Controls and Application Controls.
General Controls are macro in nature whereas Application Controls are controls which
are specific to the application software.
General Controls
General Controls, also known as Infrastructure Controls present across different layers of
IT environment and information systems. General Controls are pervasive controls and
apply to all systems components, processes, and data for a given enterprise or systems
environment. General controls include, but are not limited to:
· Information Security Policy: The security policy is approved by the senior
management and encompasses all areas of operations of bank and drives access to
information across the enterprise and other stakeholders.
· Administration, Access, and Authentication: IT should be administered with
appropriate policies and procedures clearly defining the levels of access to
information and authentication of users.
· Separation of key IT functions: Secure deployment of IT requires the bank to have
separate IT organization structure with clear demarcation of duties for different
personnel within IT department and to ensure that there are no Segregation of
duties conflicts.
: 194 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Management of Systems Acquisition and Implementation: Software solutions for
CBS are either developed or acquired and implemented. Hence, process of
acquisition and implementation of systems should be properly controlled.
· Change Management: IT solutions deployed and its various components must be
changed in tune with changing needs as per changes in technology environment,
business processes, regulatory and compliance requirements. These changes impact
the live environment of banking services.
Hence, change management process should be implemented to ensure smooth
transition to new environments covering all key changes including hardware,
software and business processes. All changes must be properly approved by the
management, before implementation.
· Backup, Recovery and Business Continuity: Heavy dependence on IT and criticality
makes it imperative that resilience of banking operations should be ensured by
having appropriate business continuity including backup, recovery and off-site
data Centre.
· Confidentiality, Integrity and Availability of Software and data files: Security is
implemented to ensure confidentiality, integrity and availability of information.
· Incident response and management: There may be various incidents
created due to failure of IT. These incidents need to be appropriately
responded and managed as per pre-defined policies and procedures.
: 195 :
J.K.SHAH CLASSES INTER C.A. – I.T.
14. Examples of CBS software
· Finacle: Core banking software suite developed by Infosys that provides universal
banking functionality covering all modules for banks covering all banking services.
· FinnOne: Web-based global banking product designed to support banks and financial
solution companies in dealing with assets, liabilities, core financial accounting and
customer service.
· Flexcube: Comprehensive, integrated, interoperable, and modular solution that
enables banks to manage evolving customer expectations.
· BaNCS: A customer-centric business model which offers simplified operations
comprising loans, deposits, wealth management, digital channels and risk and
compliance components.
· bankMate: A full-scale Banking solution which is a scalable, integrated e-banking
systems that meets the deployment requirements in traditional and non-traditional
banking environments. It enables communication through any touch point to provide
full access to provide complete range of banking services with anytime, anywhere
paradigm.
: 196 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Reliance on transaction balancing.
· Highly dependent system-based controls.
· Authorizations occur within the application.
· Increased access by staff at various levels based on authorization.
· Daily, half yearly and annual closing,
· Automatic processing of standing instructions,
· Centralized interest applications for all accounts and account types
· Anytime, anywhere access to customers and vendors.
: 197 :
J.K.SHAH CLASSES INTER C.A. – I.T.
19. Explain key technology components of CBS
The software resides in a centralized application server which is in the Central Office Data
Centre, so the application software is not available at the branch but can be accessed
from the branches or online. Along with database servers and other servers, an
application server is located at the Central Data Centre.
: 198 :
J.K.SHAH CLASSES INTER C.A. – I.T.
A Core Banking Solution is the enterprise resource planning software of a bank. It covers
all aspects of banking operations from a macro to micro perspective and covers the
entire gamut of banking services ranging from front office to back office operations,
transactions at counters to online transactions up to general ledger and reporting as
required.
However, a CBS is modular in nature and is generally implemented for all functions or for
: 199 :
J.K.SHAH CLASSES INTER C.A. – I.T.
core functions as decided by the bank. For example, if treasury operations or foreign
exchange transactions are minimal, then this may not be implemented in CBS but the
results could be linked to CBS as linked with the proper interface. Hence, the
implementation would depend on the need and criticality of specific banking services
provided by the bank. The following Fig. provides a functional architecture of CBS
covering the complete range of banking services.
: 200 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Approval: The decision to implement CBS requires high investment and recurring
costs and will impact how banking services are provided by the bank. Hence, the
decision must be approved by the board of directors.
· Selection: Although there are multiple vendors of CBS, each solution has key
differentiators. Hence, bank should select the right solution considering various
parameters as defined by the bank to meet their specific requirements and business
objectives.
· Design and develop or procured: CBS solutions used to be earlier developed in-
house by the bank. Currently, most of the CBS deployment are procured. There
should be appropriate controls covering the design or development or procurement
of CBS for the bank.
· Testing: Extensive testing must be done before the CBS is live. The testing is to be
done at different phases at procurement stage to test suitability to data migration to
ensure all existing data is correctly migrated and testing to confirm processing of
various types of transactions of all modules produces the correct results.
· Implementation: CBS must be implemented as per pre-defined and agreed plan with
specific project milestones to ensure successful implementation.
· Maintenance: CBS must be maintained as required. E.g. program bugs fixed, version
changes implemented, etc.
· Support: CBS must be supported to ensure that it is working effectively.
· Updation: CBS modules must be updated based on requirements of business
processes, technology updates and regulatory requirements.
· Audit: Audit of CBS must be done internally and externally as required to ensure that
controls are working as envisaged.
Fundamentally, in a CBS, all the bank’s branches access applications from centralized
data-centers. Core banking systems are akin to a human heart in terms of importance
and functionality. All transactions are routed through core systems, which are available
24 x7 and accessible from anywhere, anytime and through multiple devices such as
desktops, laptops, ATM, Internet, mobile phone, tablets, etc.
The following diagram provides an overview of how a CBS works. It may be noted that
the core of CBS is the customer who interacts with CBS through various channels such as
branches, ATMs, call centres, internet banking, relationship officers of bank or through
mobile phones. These delivery channels connect to different business modules / silos in
an integrated manner. These functional modules connect to various types of servers such
as database server, CRM server, application server, data warehouse server, ATM servers,
etc. In addition, partners/ vendors may also be connected to the CBS.
: 201 :
J.K.SHAH CLASSES INTER C.A. – I.T.
: 202 :
J.K.SHAH CLASSES INTER C.A. – I.T.
CBS IT Environment
Servers
· The Server is a sophisticated computer that accepts service requests from different
machines called clients. The requests are processed by the server and sent back to
the clients. This server is a powerful and robust system as performs the entire core
banking operations. CBS is developed as internet based application and therefore can
be accessed through browser application.
· Application server may be decentralized and located at regional office or at branch
for easy and quick response. No user is granted access to CBS directly. Access is
always through channel server that processes the request and fetches or sends data
to CBS for updating.
· The validation is a complete process in the computer so that it ensures that data that
is fed in, conforms to certain prerequisite conditions e.g., if an operator keys in data
for withdrawal of money, the account number of customer would be entered by the
operator naturally. But there would be a built-in control so that further processing
would be entertained only after the systems verifies that the account number which
is now entered is already in the database i.e., it is an existing customer.
· After the data is validated at the branch, it would be sent to the respective channel
server in the centralized data center. The channel (which houses the respective
channel software) after receiving data performs necessary operations and updates
the core database, etc.
· There are different types of servers used in deploying CBS. Some of these are briefly
explained here:
(i) Application Server
(ii) Database Server
(iii) Automated Teller Machine channel Server,
(iv) Internet Banking Channel Server,
(v) Internet Banking Application Server
(vi) Web Server,
(vii) Proxy Server, t
(viii) Anti-Virus Software Server, etc.
: 203 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Application Server
· All the transactions of the customer are processed by the data center. The
Application Server performs necessary operations and this updates the account of
the customer “A” in the database server.
· The customer may do some other operation in branch “Y”. The process is validated
at branch “Y” and the data is transmitted to the application software at the data
center. The results are updated in the database server at the centralized data
center. Thus, it would be observed that whatever operations a customer may do at
any of the branches of the bank the accounting process being centralized at the
centralized data center is updated at the centralized database.
· The application software, CBS, which is in the application server is always to be the
latest version as accepted after adequate testing. These changes are made to a
separate server called a test server. The programs are debugged and certified that
the program is now amended as required and performs as expected.
· The changed and latest application software will be moved into the application
server under proper authority. The earlier version would be archived and the latest
copy of the software would always have a backup copy.
Database Server
· The Database Server of the Bank contains the entire data of the Bank. The data
would consist of various accounts of the customers and master data (e.g., of master
data are customer data, employee data, base rates for advances, FD rates, the rate
for loans, penalty to be levied under different circumstances, etc.).
· Application software, ATM server & Internet Banking Application Server would
access the database server. The data contained in the database must be very secure
and no direct access should be permitted to prevent unauthorized changes. Strict
discipline is followed regarding the maintenance of the database server, there is a
designated role for maintenance of the database. The individual who performs this
role is called the Database Administrator. His activities will also be monitored as all
changes made would be recorded in a Log. Scrutiny of the log would disclose the
type of activities and the effect of such activities.
: 204 :
J.K.SHAH CLASSES INTER C.A. – I.T.
other reason, the file containing the account balance of the customer is sent to the
ATM switch. Such a file is called Positive Balance File (PBF). Till the central database
becomes accessible, the ATM transactions are passed and the balance available in
the ATM server. Once the central database server becomes accessible all the
transactions that took place till such time as the central database became un-
accessible would be updated in the central database. This ensures not only
continuity of ATM operations but also ensures that the Central database is always
up-to-date.
Web Server
· The Web Server is used to host all web services and internet related software. All
the online requests and websites are hosted and serviced through the web server.
· A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve
the files that form Web pages to users, in response to their requests, which are
forwarded by their computers’ HTTP clients. All computers that host Web sites must
have Web server programs.
: 205 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Proxy Server
· A Proxy Server is a computer that offers a computer network service to allow
clients to make indirect network connections to other network services. A client
connects to the proxy server, and then requests a connection, file, or other
resource available on a different server.
· In some cases, the proxy may alter the client’s request or the server’s response for
various purposes.
Current & Savings Accounts (CASA), Credit Cards, Loans and Advances, Treasury
and Mortgages.
24. Explain Business process flow of Current & Savings Accounts (CASA)
Process Flow of CASA facility (as shown in the Fig.)
(i) Either the customer approaches the relationship manager to apply for a CASA
facility or will apply the same through internet banking, the charges/ rates for
the facility are provided by the relationship manager basis the request made
by the customer.
(ii) Once the potential customer agrees for availing the facilities / products of the
bank, the relationship manager request for the relevant documents i.e. KYC
and other relevant documents of the customer depending upon the
facility/product. KYC (Know Your Customer) is a process by which banks obtain
information about the identity and address of the customers. KYC documents
can be Passport, Driving License, etc.
(iii) The documents received from the customers are handed over to the Credit
team / Risk team for sanctioning of the facilities/limits of the customers.
(iv) Credit team verifies the document’s, assess the financial and credit worthiness
of the borrowers and updates facilities in the customer account.
(v) Current / Account savings account along with the facilities requested are
provided to the customer for daily functioning.
: 206 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(vi) Customers can avail facilities such as cheque deposits / withdrawal, Cash
deposit / withdrawal, Real Time Gross Settlement (RTGS), National Electronics
Funds Transfer System (NEFT), Electronic Clearing Service (ECS), Overdraft
Fund Transfer services provided by the bank.
25. What are the risks & controls around the CASA Process
Risk & Controls around the CASA Process
S.No. Risk Key Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in Ratios, the Net-worth, the Risk factors and its
line with the banks policy. corresponding mitigating factors, the Credit Line
offered and the Credit amount etc. is in line with
Credit Risk Policy and that the Client can be given the
Credit Line.
2. Credit Line setup in CBS is Access rights to authorize the credit limit in case of
unauthorized and not in account setup system should be restricted to
line with the banks policy. authorized personnel.
3. Customer Master defined Access rights to authorize the customer master in
in CBS is not in CBS should be restricted to authorized personnel.
: 207 :
J.K.SHAH CLASSES INTER C.A. – I.T.
accordance with the Pre-
Disbursement Certificate.
4. Inaccurate interest / Interest on fund based facilities are automatically
charge being calculated in calculated in the CBS as per the defined rules.
CBS.
5. Unauthorized personnel Segregation of Duties to be maintained between the
approving the CASAS initiator and authorizer of the transaction for
transaction in CBS. processing transaction in CBS.
6. Inaccurate accounting Accounting entries are generated by CBS basis the
entries generated in CBS. facilities requested by the customer and basis
defined configurations for those facilities in CBS.
: 208 :
J.K.SHAH CLASSES INTER C.A. – I.T.
27. Explain the business process flow of authorization process of credit card.
Process Flow of Sale - Authorization process of Credit Card Facility (as shown in
the Fig.)
(i) Customer will swipe the credit card for the purchase made by him/her on the POS
machine (Point of Sale) at merchant’s shop/establishment.
(ii) POS (Point of Sale) will process the transaction only once the same is
authenticated.
(iii) The POS (Point of Sale) will send the authentication request to the merchant’s
bank (also referred as “acquiring bank”) which will then send the transaction
authentication verification details to the credit card network (such as VISA,
MASTER CARD, AMEX, RUPAY) from which the data will be validated by the credit
card issuing bank within a fraction of seconds.
(iv) Once the transaction is validated, the approval message is received from credit
card issuing bank to the credit card network which then flows to the merchant’s
: 209 :
J.K.SHAH CLASSES INTER C.A. – I.T.
bank and approves the transaction in the POS (Point of Sale) machine.
(v) The receipt of the transaction is generated and the sale is completed. The
transaction made is charged during the billing cycle of that month.
Process Flow of Sale - Authorization and Clearing & Settlement of Credit Card
Facility
28. Explain the business process flow of clearing & settlement process of credit card
Process Flow of Clearing & Settlement process of Credit Card Facility (as shown in
the above Fig.)
(i) The transaction data from the merchant is transferred to the merchant’s bank.
Merchant’s bank clears settlement amount to Merchant after deducting Merchant
fees. Merchant’s bank, in turn now provides the list of settlement transactions to
the credit card network which then provides the list of transactions made by the
customer to the credit card issuing bank.
(ii) The credit card issuing bank basis the transactions made, clears the amount to
Merchant’s bank but after deducting interchange transaction fees.
(iii) At the end of billing cycle, card issuing company charges the customer’s credit
card account with those transactions in CBS.
: 210 :
J.K.SHAH CLASSES INTER C.A. – I.T.
29. What are the Risks and Controls around the Credit Card Process
Risks and Controls around the Credit Card Process
S.No. Risk Key Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in Ratios, the Net-worth, the Risk factors and its
line with the banks policy corresponding mitigat-ing factors, the Credit Line
offered and the Credit amount; etc. is in line with
Credit Risk Policy and that the Client can be given the
Credit Line.
2. Credit Line setup is Access rights to authorize the credit limit in the credit
unauthorized and not in card system should be restricted to authorized
line with the banks policy. personnel.
3. Masters defined for the Access rights to authorize the customer master in
customer are not in credit card system should be restricted to authorized
accordance with the Pre- personnel. Segregation of duties exist in credit card
Disbursement Certificate system such that the system restricts the maker
having checker rights to approve the facilities booked
by self in the credit card system.
4. Credit Line setup can be Transaction cannot be made if the aggregate limit of
breached. outstanding amount exceeds the credit limit assigned
to customer.
5. Inaccurate interest / Interest on fund based credit cards and charges are
charge being calculated in auto-matically calculated in the credit card system as
the Credit Card system. per the de-fined masters.
6. Inaccurate reconciliations Daily reconciliation for the balances received from
performed. credit card network with the transactions updated in
the credit card system on card network level.
Business Process Flow of Mortgages
A Mortgage loan is a secured loan which is secured on the borrower’s property by
marking a lien on the property as collateral for the loan. If the borrower stops paying,
then the lender has the first charge on the property.
Mortgages are used by individuals and businesses to make large real estate purchases
without paying the entire value of the purchase up front. Over the period of many years,
the borrowers repay the loan amount along with interest until there is no outstanding.
: 211 :
J.K.SHAH CLASSES INTER C.A. – I.T.
31. Explain the Process Description of Mortgage loan.
(i) Loans are provided by the lender which is a financial institution such as a bank or a
mortgage company. There are two types of loan widely offered to customer first is
fixed rate mortgage where rate of interest remains constant for the life of the loan
second is variable/floating rate mortgage where rate of interest is fixed for a
period but then it fluctuates with the market interest rates.
(ii) Borrower / Customer approaches the bank for a mortgage and relationship
manager/ loan officer explains the customer about home loan and its various
feature. Customer to fill loan application and provide requisite KYC documents
(Proof of Identity, Address, Income and obligation details etc.) to the loan officer.
(iii) Loan officer reviews the loan application and sends it to Credit risk team who will
calculate the financial obligation income ratio which is to determine customer’s
financial eligibility on how much loan can be provided to the customer. This is done
basis the credit score as per Credit Information Bureau (India) Limited (CIBIL)
rating, income and expense details and Rate of Interest at which loan is offered.
Once financial eligibility is determined, then along with customer documents the
details are sent to the underwriting team for approval.
(iv) Underwriting team will verify the financial (applicant’s credit history) and
employment information of the customer. Underwriter will ensure that the loan
provided is within the lending guidelines and at this stage provide conditional
approval along with the list of documents required.
(v) As per the property selected by the customer, loan officer will provide the property
details along with requisite documents (property papers etc.) to the legal and
valuation team. Legal team will carry out title search on the property which is to
determine legal owner of the property, any restrictions or any lien on the property
etc. Valuation team will carry out valuation of property and determine its value.
(vi) Further verification of property to determine whether property is built as
per the approved plan, whether builder has received requisite certificates,
age of building to determine whether it will withstand the loan tenure,
construction quality.
(vii) Legal and valuation team will send their report to the operations team
which will generate letter of offer / Offer letter to customer which entails
all details of loan such as loan amount, rate of interest, tenor, monthly
installment, security address, fee/charges details and term and conditions.
(viii) Customer will agree to loan agreement which is offered by signing the
offer letter. Loan officer will notarize all the loan documents and are send
back to lender operations team.
: 212 :
J.K.SHAH CLASSES INTER C.A. – I.T.
(ix) Once signed offer letter is received the operations team will release or
disburse fund and prepare a cashier order. Cashier order is provided to
customer in exchange of mandatory original property documents. Once
exchange is carried out successfully, banks place a charge or lien on the
property so that incase of default the first charge is with the bank to
recover the money.
(x) Post disbursement of loan customer can carry out various loan servicing
activity by visiting the branch or via online mode amendments such as
interest rate change, change in monthly instalment, prepayment of loan
amount and foreclosure of loan etc.
32. What are the risks & controls around Mortgage Process
Risk & Controls around the Mortgage Process
S.No. Risk Key Controls
1. Incorrect customer and loan There is secondary review performed by an
details are captured which independent team member who will verify loan
will affect the over-all details captured in core banking application with
downstream process. offer letter.
2. Incorrect loan amount There is secondary review performed by an
disbursed. independent team member who will verify loan
amount to be disbursed with the core banking
application to the signed offer letter,
3. Interest amount is Interest amount is auto calculated by the core
in-correctly calculated and banking application basis loan amount, ROI and
charged. tenure.
4. Unauthorized changes made System enforced segregation of duties exist in the
to loan master data or core banking application where the inputter of
customer data. the transaction cannot approve its own
transaction and reviewer cannot edit any details
submitted by inputter.
: 213 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Core areas of Treasury Operations: The core areas of treasury operations in a bank can
be functionally divided into the following broad compartments as mentioned below:
a. Dealing Room Operations (Front office operations);
b. Middle Office (Market Risk department / Product Control Group); and
c. Back office.
· Front Office operations consist of dealing room operations wherein the dealers enter
into deal with the various corporate and interbank Counter-parties. Deals are
entered by dealers on various trading /Communication platform such as Reuters’
system, telephonic conversation, Brokers or any other private channel with the
respective counter-party.
· The dealers are primarily responsible to check for counter-party credit Limits,
eligibility, and other requirements of the Bank before entering into the deal with the
customers. Dealers must ensure that all risk/credit limits are available before
entering into a deal. Also, the deal must not contravene the current regulations
regarding dealing in INR with overseas banks/counter-parties.
· All counter-parties are required to have executed the International Swaps and
Derivatives Association (‘ISDA’) agreement as well as pass a board resolution allowing
it to enter into derivatives contract. As soon as the deal is struck with counter-party,
£he deal details are either noted in a manual deal pad or punched in front office
system of the Bank which gets queued in for authorization.
· Middle Office includes risk management, responsibility for treasury accounting, and
documentation of various types, producing the financial results, analysis and budget
forecasts for the treasury business unit, input into regulatory reporting.
· Risk management can manage various types of risks such as financial and market risk,
currency risk, foreign exchange risk and regulatory compliance risk with objective to
risk minimization or risk hedging.
· It is also responsible for monitoring of counter-party, country, dealer and market-
related limits that have been set and approved in other areas of the bank such as the
credit department.
· The mainstream role of the Back Office is in direct support of the trading room or
front office. This includes verification by confirmation, settlement, checking existence
of a valid and enforceable International Swap Dealers Association (‘ISDA’) agreement.
: 214 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· An important development in the back office has been the advent of Straight-
Through Processing (STP), also called ‘hands-off’ or exception processing. This has
been made possible through enhancement of system to real time on line input in the
trading room, which in turn has meant that the back office can recall deals input in
the trading room to verify from an external source.
· Back office is also involved in a number of reconciliation processes, including the
agreement of traders’ overnight positions, Nostro accounts and brokerage. The
critical one is FOBO (Front Office/ Back Office) reconciliation to ensure the
completeness and accuracy of trades/ deals done for the day.
34. What are the process flow for bank treasury operations
35. Explain various risk & controls around the Treasury Process
Risk & Controls around the Treasury Process
S.No. Risk Key Controls
1. Unauthorized securities setup Appropriate Segregation of duties and review
in systems such as Front controls around securities master
office/Back office. setup/amendments.
2. Inaccurate trade is processed. Appropriate Segregation of duties and review
controls to 1 ensure the accuracy and
authorization of trades.
3. Unauthorized confirmations Complete and accurate confirmations to be
are processed. obtained from counter-party.
: 215 :
J.K.SHAH CLASSES INTER C.A. – I.T.
4. Insufficient Securities available Effective controls on securities and margins.
for Settlement
5. Incomplete and inaccurate Inter-system reconciliations, Interfaces and
data flow between systems. batch processing controls.
6. Insufficient funds are available Controls at CCIL/NEFT/RTGS settlements to
for settlements. ensure the margin funds availability and the
timely funds settlements,
7. Incorrect Nostro payments Controls at Nostro reconciliation and payments.
processed.
Loans and Trade Finance Process
The business of lending, which is main business of the banks, carry certain inherent risks
and bank cannot take more than calculated risk whenever it wants to lend. Hence,
lending activity has to necessarily adhere to certain principles.
The business of lending is carried on by banks offering various credit facilities to its
customers. Basically various credit facilities offered by banks are generally repayable on
demand. A bank should ensure proper recovery of funds lent by it and acquaint itself
with the nature of legal remedies available to it and also law affecting the credit facilities
provided by it.
: 216 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Once the potential customer agrees for availing the facilities/products of the
bank, the relationship manager request for the relevant documents i.e. KYC
and other relevant documents of the customer depending upon the
facility/product.
· The documents received from the customers are handed over to the Credit
team of bank for sanctioning of the facilities/limits of the customers.
· Credit team verifies the document’s, assess the financial and credit
worthiness of the borrowers and issues a sanction letter to the customer.
· Sanction letter details the terms of the facilities and the credit limits the
customer is eligible e.g. how much loan can be offered to the customer.
· Once the customer agrees with the terms of the sanction letter, the credit
team prepares a Pre Disbursement Certificate (PDC) containing the details of
all the facilities & limits approved for the customer and sends it to the
disbursement team i.e. the team who is responsible for disbursing the loan
amount to customer.
· The disbursement team verifies the PDC and creates customer account and
master -in the Loan Disbursement System. The disbursement team member
also assigns the limits for various products as per PDC.
· Once the limits are assigned to the customer, the customer can avail any of
the facilities/products up to the assigned credit limits.
: 217 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· In case of non- fund based facilities, the facilities are granted to the
customer up to the assigned limits in the loan disbursement system.
Contingent entries are posted for asset and liabilities. Commission is
normally charged to the customer account upfront on availing the facility and
is accrued over the tenure of the facilities granted to the customer.
: 218 :
J.K.SHAH CLASSES INTER C.A. – I.T.
39. Explain risks & controls in loans & advances process
Risk & Controls in the Loans and Advances Process
S.No. Risk Key Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in Ratios, the Net-worth, the Risk factors and its
line with the banks policy. corresponding mitigating factors, the Credit Line
offered and the Credit amount etc. is in line with
Credit Risk Policy and that the Client can be given
the Credit Line.
2. Credit Line setup is Access rights to authorize the credit limit in Loan
unauthorized and not in Booking system/CBS should be restricted to
line with the banks policy. authorized personnel
3. Masters defined for the Access rights to authorize the customer master in
customer are not in Loan Booking system/CBS should be restricted to
accordance with the Pre authorized personnel.
Disbursement Certificate. Segregation of duties exist in Loan Disbursement
system. The system restricts the maker having
checker rights to approve the loan/facilities booked
by self in loan disbursal system.
4. Credit Line setup can be Loan disbursement system/CBS restricts booking of
breached in Loan loans/ facilities if the limits assigned to the
dis-bursement system/CBS. customer is breached in Loan disbursement
system/CBS.
5. Lower rate of interest/ Loan disbursement system/CBS restricts booking of
Commission may be loans/ facilities if the rate charged to the customer
charged to customer. are not as per defined masters in system.
6. Facilities/Loan’s granted Segregation of duties exist in Loan Disbursement
may be unauthorized system. The system restricts the maker having
/inappropriate checker rights to approve the loan/facilities booked
by self in loan disbursal system
7. Inaccurate interest / charge Interest on fund based loans and charges for non-
being calculated in the Loan fund based loans are automatically calculated in
disbursal system the Loan dis-bursal system as per the defined
masters
: 219 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· On access, user is directed to secure web server. The internet banking website is
hosted on the web server. The web server is in the central data center of the bank.
Access to the web server is permitted only to authorised users.
· To protect the web server from unauthorised use and abuse, the traffic is necessarily
to go past a firewall. The firewall is designed in such a fashion that only traffic
addressed to the web server through the authorised port is permitted.
· An individual who accesses the website of bank through the browser will be able to
access the web server and there will be a display of the bank’s web page on the
screen of the client’s computer.
· The web page will also provide all information generally of interest to the public. The
web page also will have a specified area wherein a mention of user ID and password
will be made.
· The password will not be displayed in plain text but will only be in an encrypted form.
· The web server forwards the customer details to the internet banking applications
server which in turn accesses the IDBS. The server has already the database of all
the customers who have been provided with internet banking facility. For each
customer, it would be having details about user ID and password.
· The information received from the web server is verified with the data of the customer
held in the internet banking (IBAS).
· Should the information not tally, the message ‘access denied’ would appear giving the
reason giving the ‘user ID/ password incorrect’. The customer realising the mistake
may rectify the mistake and make another attempt.
· Normally, three such attempts would be permitted. After three attempts, the customer
will be logged out for security reasons. If more attempts are permitted, there is a
possibility of a person just trying out different combination of user ID and password to
break into the system.
· Based on the authentication check, the Internet Banking Application Server (IBAS)
sends an acknowledgement to the web server. The web server displays the message.
Once the authentication process is completed correctly, the customer is provided
internet banking facility, which would include:
(a) Password change
(b) Balance inquiry
(c) Fund transfer
(d) Request for cheque book
(e) Stop payment
(f) Copy of statement of account; and
(g) ATM/ Credit Card related queries
· The customer then chooses one of the services from the list. The service requested is
directed by the web server to the IBAS for processing. The IBAS will access the
internet banking database server for further processing.
: 220 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· The Internet Banking Channel Server (IBCS) will retrieve the data from the central
database server. The IBCS will be able to access the central database server only
through a middleware and firewall. The middleware is expected to convert the data to
suit the requirements of IBCS.
· Internet banking database server then forwards the customer data to the IBAS which
processes the transaction e.g., The statement of account from the central database
server is made available to the Internet Banking Database Server (IDBS). The IBCS
then sends the data to the IBAS. The IBAS then sends the same to the web browser
(Internet Explorer).
· The web server generates a dynamic web page for the service requested e.g., the
accounts statement generated by the web server and presented to Internet Explorer
(say) the information is then provided to the web browser in an encrypted form.
: 221 :
J.K.SHAH CLASSES INTER C.A. – I.T.
is critical to ensure that the Bank can impart advanced training to its permanent staff in
the core areas of technology for effective and efficient technology management.
· Ownership of Data/ process: Since the entire data resides at the Data Centre, any
authorized user may access any data sometimes beyond their access rights. Hence it
is required to establish clear ownership.
· Authentication procedure: This may be inadequate and hence user entering the
transaction may not be identifiable. Hence photo or ID and password required to be
provided by the individual and it has to be verified with photo, ID & password stored
in database server to check its authenticity.
· Authorization process: Once he is proved authenticated, level of access right
provided to every user has to be verified to check up to what extent he is authorized
to access.
· Several software interfaces across diverse networks: A Data Centre can have as
many as 75-100 different interface and application software.
· Maintaining response time: Maintaining the interfacing software and ensuring
optimum response time and up time can be challenging.
· User Identity Management: This could be a serious issue. Some Banks may have
more than 5000 users interacting with the CBS at once.
· Access Controls: Designing and monitoring access control is an extremely challenging
task.
· Incident handling procedures: These may not be adequate considering the need for
real-time risk management.
43. Explain the IT related risks & mitigating controls in the business perspective
There are multiple ways in which risks can be assessed. From a business perspective, the
risks that can be classified based on following Information criteria:
• Confidentiality: If critical data is lost and unauthorized disclosure happens, data
confidentiality is lost.
· Integrity: If critical data is unauthorized modified and provide incomplete or
inaccurate data due to errors in input or processing, data integrity will be affected.
· Availability: Information system is not available when required.
· Compliance: The information system does not comply with legal, regulatory,
contractual or internal compliance requirements.
· Reliability: If system will not provide accurate financial information, users lose
confidence in information system.
: 222 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Effectiveness: If system is not able to meet user requirement, it will affect
effectiveness.
· Efficiency: If system is not responding within stipulated time, it will affect efficiency.
44. Explain the sub processes of data center and network operation to control IT
related risks.
• Backups and Restoring of data: To be done on regular basis as per back up policy.
• Job and Batch Scheduling and Processing: Running of various types of transactions
on regular basis as per pre-defined schedules. For example: Clearing of cheques,
interest computation is done at specified intervals.
• Monitoring of Applications and supporting Servers: The Servers and applications
running on them are monitored to ensure that servers, network connections and
application software along with the interfaces are working continuously.
• Value Add areas of Service Level Agreements (SLA): SLA with vendors are regularly
reviewed to ensure that the services are delivered as per specified performance
parameters.
• User training and qualification of Operations personnel: The personnel deployed
have required qualifications, competencies and skill-sets to operate and monitor
the IT environment of CBS of bank.
45. Explain risks and Controls for Data Centre and Network Operations
Risks and Controls for Data Centre and Network Operations
Risks Key IT Controls
The transaction may not be recorded Batch and online processing procedures are
completely or accurately, and the related defined, executed and monitored for
items will be inaccurately or incompletely successful and timely completion.
recorded. Any exception is reviewed and timely
resolved.
Invalid items may be recorded or valid Access to automated job scheduling tools,
items may be inaccurately or incompletely and executable programs are defined to
recorded. restrict to appropriate individuals as per
job requirement.
Timely and adequate technical support Entity has written agreement(s) with
may not be available and issues may not be outside contractors and/ or software
resolved. vendors to provide for technical support, as
needed.
Management monitors compliance with
these agreements.
: 223 :
J.K.SHAH CLASSES INTER C.A. – I.T.
User queries may not be timely and Help desk function exists to provide
adequately resolved. support on user queries regarding systems.
Problems are recorded and the log for
timely resolution of all such user queries is
monitored.
Unavailability of applications and data All tapes, manuals, guides are properly
backups in the event of a disaster. It can labelled and timely stored in a secured
also result in disclosure of sensitive environmentally controlled location.
information.
Data may be lost and systems may not be Schedule backup and storage of data is
recoverable in the event of a serious done periodically and appropriately.
system failure. This may result in Management periodically reviews backups
regulatory/ legal complaints, loss of are done as per back up policy and meet
reputation beside financial loss. business and legal requirements.
Information Security
Information security is critical to mitigate the risks of Information technology. Security
refers to ensure Confidentiality, Integrity and Availability of information.
: 224 :
J.K.SHAH CLASSES INTER C.A. – I.T.
47. Explain risks & controls for information security
Application Software
In chapter 3 we covered Application controls. Here we are referring to risks & controls
specific to CBS.
: 225 :
J.K.SHAH CLASSES INTER C.A. – I.T.
48. Explain risks & controls for Application Software
: 226 :
J.K.SHAH CLASSES INTER C.A. – I.T.
49. Explain the four gateways of Application software
· Configuration:
§ In CBS software, Configuration refers to the way a software system is set up for
use. Configuration is the first step after installing the software.
§ This involves setting up various parameters (configuration) as per policies and
business process rules.
§ The various modules of the bank such as advances, deposits, user access etc.
must be configured.
§ Configuration will define how software will function and what menu options are
displayed.
§ Configuration will also enable how the products and services are distinguished
from each other.
§ Some examples of configuration are given here:
- Defining access rules from various devices/terminals.
- Creation of User Types
- Creation of Customer Type, Deposit Type, year-end process
- User Access & privileges - Configuration & its management
- Password Management
· Masters:
§ In a CBS software, Masters refer to the setting parameters for various types of
product and service type as per software modules used in the bank. The masters
are also referred to as standing data as these are changed only when required
and will require higher level of access.
§ The parameter settings in the masters will drive how the software will process
relevant transactions. For example, the interest parameters will be used for
computing interest for various type of deposits/advances.
§ After configuring the software, the masters are set up first time during
installation and these are changed whenever the business process rules or
values. For example: If RBI has changed the lending rates based on which bank
has decided to change the interest rates for specific type of advances, the
interest parameters are to be updated. Any changes to these data should be
authorized by appropriate personnel and these are logged and captured in
: 227 :
J.K.SHAH CLASSES INTER C.A. – I.T.
exception reports.
Some examples of masters are as follows:
- Customer Master for advances: Credit limit, loan period, interest rate,
penal interest rate, security offered, sanction terms, customer details, etc.
- Deposit Master: Interest rate, type of deposit, service charges, period of
interest computation, Minimum balance, withdrawal limits, a/c type (NRE/
NRO), etc.
- Customer Master: Customer type, details, address, PAN details,
- Employee Master: Employee Name, Id, designation, level joining details,
salary, leave, etc.
- Income Tax Master: Tax rates applicable, Slabs, frequency of TDS, etc.
· Transactions:
§ In CBS software, Transactions refer to the actual transactions of various products
and services which can be user using menus and functions and by customer
through internet/mobile banking.
§ The transactions are allowed based on user access and access authorization
matrix set.
§ For example, for each user, access to specific modules, type of transactions, and
what they can do: entry, authorize or view would be possible. Some examples of
transactions are given here:
- Deposit transactions: opening of a/c, deposits, withdrawals, interest
computation, etc.
- Advances transactions: opening of a/c, deposits, withdrawals, transfers,
closure, etc.
- ECS transactions: Entry, upload, authorize/approve, update, etc.
- General Ledger: Expense accounting, interest computation update, charges
update, etc.
· Reports:
§ Users at different levels use information which is processed by the computers.
This information could be in form of reports which are periodically generated or
on demand.
§ These reports could be standard or adhoc reports.
§ The reports could be used for monitoring the operations as also for tracking the
performance.
Some examples of reports are as follows:
- Summary of transactions of day
: 228 :
J.K.SHAH CLASSES INTER C.A. – I.T.
- Daily General Ledger (GL) of day
- Activity Logging and reviewing
- MIS report for each product or service
- Reports covering performance/compliance
- Reports of exceptions, etc.
· The Banking Regulation Act, 1949 is legislation in India that regulates all banking
firms in India. Initially, the law was applicable only to banking companies. But, in
1965 it was amended to make it applicable to cooperative banks and to introduce
other changes.
· The Act provides a framework using which commercial banking in India is supervised
and regulated.
· The Act gives the Reserve Bank of India (RBI) the power to license banks, have
regulation over shareholding and voting rights of shareholders; supervise the
appointment of the boards and management; regulate the operations of banks; lay
down instructions for audits; control moratorium, mergers and liquidation; issue
directives in the interests of public good and on banking policy, and impose
penalties.
· In 1965, the Act was amended to include cooperative banks under its purview by
adding the Section 56. Cooperative banks, which operate only in one state, are
formed and run by the state government. But, RBI controls the licensing and
regulates the business operations. The Banking Act was a supplement to the previous
acts related to banking.
· RBI has been proactive in providing periodic guidelines to banking sector on how IT is
deployed. It also facilitates banks by providing specific guidelines on technology
frameworks, standards and procedures covering various aspects of functioning and
computerization of banks in India. RBI also provides the technology platform for
NEFT/ RTGS and other centralized processing from time to time.
: 229 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Negotiable Instruments Act-1881 (NI Act)
· Under NI Act, Cheque includes electronic image of truncated cheque and a cheque in
the electronic form. The truncation of cheques in clearing has been given effect to
and appropriate safeguards in this regard have been set forth in the guidelines issued
by RBI from time to time.
· A cheque in the electronic form has been defined as “a mirror image” of a paper
cheque. The expression ‘mirror image’ is not appropriate and was misinterpreted in
many ways considered as actual mirror image or snapshot image of paper cheque.
· As per IT ACT 2000, under s/3 signature should be digital signature but finally in 2008
it was amended to include electronic signature.
: 230 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Impact of Technology in Banking
· The key components of banking business with controls are entirely covered under
the four areas namely business process, policies and procedures, regulatory
requirements and organization structure.
· However, in the CBS environment, technology is the encompasses all the four critical
components resulting in highly effective and efficient business operations and
controls to manage entire banking operations.
· Earlier, technology was a tool and used in specific department of the bank but now
with CBS, Technology has become all-pervasive and has become integral for doing
banking.
· The dependence on technology in a bank is also very high. If IT fails, then none of the
business processes can be performed.
: 231 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Prevention of Money Laundering Act (PMLA)
· Under Section 12 of PMLA, every banking company, financial institution and
intermediary, (hereinafter referred to as such entities) is required to maintain a
record of transactions as may be prescribed by rules and furnish information to the
Director within such time as may be prescribed.
· The records to be maintained by such entities are set forth in rule 3 of PMLR. Such
records include record of cash transactions of value more than 10 lakhs or its
equivalent in foreign currency, integrally connected cash transactions taking place
within a month, cash transactions where forged or counterfeit notes are involved
and suspicious transactions of the nature described therein.
· Under rule 6 of PMLR, such records are to be maintained for a period of ten years
from the date of transaction.
: 232 :
J.K.SHAH CLASSES INTER C.A. – I.T.
· Under section 13 of PMLA, the Director is empowered (without prejudice to any
other action that may be taken under PMLA) to impose a fine which shall not be less
than 10 thousand but which may extend to 1 lakh for each failure. Since the
imposition of fine by the Director is without prejudice to any other action that may
be taken under PMLA it is possible that such entities may be exposed to penalty also
under Section 63.
· In terms of Section 70 if the contravention is committed by such entities the officers
in charge of and responsible to the conduct of the business of such entity at the
relevant time are also liable to be proceeded with and punished.
It is therefore clear that such entities should have a robust system of keeping track of the
transactions of the nature referred to in Prevention of Money Laundering Act (PMLA) and
Prevention of Money Laundering Rules (PMLR) and report the same within the
prescribed period as aforesaid.
Placement
The first stage involves the Placement of proceeds derived from illegal activities - the
movement of proceeds, frequently currency, from the scene of the crime to a place, or
into a form, less suspicious and more convenient for the criminal.
Layering
· Layering involves the separation of proceeds from illegal source using complex
transactions, through several banks involved in transfer of money between different
accounts in different accounts in different names in different countries, designed to
obscure the audit trail and hide the proceeds.
· The criminals frequently use shell corporations, offshore banks or countries with
loose regulation and secrecy laws for this purpose.
· It changes the form of money i.e. from black money to white money by purchasing
the assets by utilizing black money such as boats, houses, cars, diamonds etc.
Integration
· Integration involves conversion of illegal proceeds into apparently legitimate
business earnings through normal financial or commercial operations.
· For e.g. false invoices for goods exported, domestic loan against a foreign deposit,
purchasing of property.
: 233 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Anti-Money laundering (AML) using Technology
· Negative publicity, damage to reputation and loss of goodwill, legal and regulatory
sanctions and adverse effect on the bottom line are all possible consequences of a
bank’s failure to manage the risk of money laundering.
· Banks face the challenge of addressing the threat of money laundering on multiple
fronts as banks can be used as primary means for transfer of money across
geographies. The challenge is even greater for banks using CBS as all transactions are
integrated.
· With regulators adopting stricter regulations on banks and enhancing their
enforcement efforts, banks are using special fraud and risk management software to
prevent and detect fraud and integrate this as part of their internal process and daily
processing and reporting.
Financing of Terrorism
· Money to fund terrorist activities moves through the global financial system via
electronic transfers and in and out of personal and business accounts.
· It can sit in the accounts of illegitimate charities and be laundered through buying
and selling securities and other commodities.
I. Cyber Crimes
Cybercrime also known as computer crime is a crime that involves use of a
computer and a network.
Cybercrimes is defined as: “Offences that are committed against individuals or
groups of individuals with a criminal motive to intentionally harm the reputation
of the victim or cause physical or mental harm, or loss, to the victim directly or
indirectly, using modern telecommunication networks such as Internet (Chat
rooms, emails, notice boards and groups) and mobile phones.
: 234 :
J.K.SHAH CLASSES INTER C.A. – I.T.
II. Computer related offences
Some examples of offences in IT Act which could impact banks are as follows:
: 235 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Section 65: Tampering with Computer Source Documents
Whoever
- knowingly or intentionally conceals, destroys or alters or
- intentionally or knowingly causes another to conceal, destroy or alter
any computer source code used for a computer, computer program, computer system or
computer network, when the computer source code is required to be kept or maintained
by law for the time being in force, shall be punishable with
- imprisonment up to three years, or
- with fine which may extend up to 2 lakh rupees, or
- with both.
The explanation clarifies “Computer Source Code” means the listing of programme,
Computer Commands, Design and layout and program analysis of computer resource in
any form.
: 236 :
J.K.SHAH CLASSES INTER C.A. – I.T.
Section 66-E: Punishment for violation of privacy
Whoever, intentionally or knowingly captures, publishes or transmits the image of a
private area of any person without his or her consent, under circumstances violating the
privacy of that person, shall be punished with imprisonment which may extend to three
years or with fine not exceeding two lakh rupees, or with both
III. Sensitive Personal Data Information (SPDI)
Section 43A: Compensation for failure to protect data
Section 43A of the IT Amendment Act imposes responsibility for protection of
stakeholder information by body corporate. It states as follows:
“Where a body corporate, possessing, dealing or handling any sensitive personal
data or information in a computer resource, which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation, to the
person so affected”.
The IT Act has a specific category, “sensitive personal data or information,” which
consists of password, financial information (including bank account, credit card,
debit card or other payment details), physical, physiological and mental health
conditions, sexual orientation, medical records, and biometric information. This
legally obligates all stakeholders (i.e., any individual or organization that collects,
processes, transmits, transfers, stores or deals with sensitive personal data) to
adhere to its requirements.
IV. Privacy Policy
· Every bank deals captures Personal Information of customers as per definition
of IT Act. Hence, it is mandatory to ensure security of personal information.
· This information must be protected by maintaining physical, electronic, and
procedural safeguards by using appropriate security standards such as ISO
27001 to ensure compliance with regulatory requirements.
· Further, the employees of banks should be trained in the proper handling of
personal information.
· Even when such services are outsourced, the vendor companies who provide
such services are required to protect the confidentiality of personal
information they receive and process. This aspect must be contractually
agreed and the compliance of this monitored.
· The specific information collected is to be confirmed with the customers. The
type of information collected could be Non-Personal and Personal
Information. For example, when the customer visits the website of the bank,
information about the IP address of the device used to connect to the Internet
is collected. The Personal Information provided by customer such as name,
address, phone number, and email etc.
: 237 :